CVE-2019-9565 in Antidote RX
Summary
by MITRE
Druide Antidote RX, HD, 8 before 8.05.2287, 9 before 9.5.3937 and 10 before 10.1.2147 allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a direct launch of the product, or upon an indirect launch via an integration such as Chrome, Firefox, Word, Outlook, etc. This occurs because the product attempts to access a share with the PLUG-INS subdomain name; an attacker may be able to use Active Directory Domain Services to register that name.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/26/2023
The vulnerability identified as CVE-2019-9565 affects Druide Antidote RX, HD, and version 10 products across multiple release lines, specifically before versions 8.05.2287, 9.5.3937, and 10.1.2147 respectively. This represents a critical security flaw that enables remote attackers to compromise system integrity through credential theft and relay attacks. The vulnerability stems from the software's improper handling of network share access attempts during product initialization, creating an attack surface that can be exploited without user interaction or explicit consent. The flaw manifests when the application attempts to access network resources using a specific naming convention that conflicts with Active Directory domain services, making it particularly dangerous in enterprise environments where such services are prevalent.
The technical root cause of this vulnerability lies in the application's network communication behavior and its failure to properly validate or sanitize network share names during initialization processes. When Druide Antidote launches, either directly or through integration with web browsers, office applications, or email clients, it attempts to access a network share using what appears to be a PLUG-INS subdomain name. This naming pattern creates a conflict with Active Directory Domain Services mechanisms that can register and manage subdomain names within the domain. The vulnerability operates under CWE-264, which addresses permissions, privileges, and access control issues, specifically manifesting as improper access control during network resource enumeration. Attackers can exploit this by registering the conflicting subdomain name within Active Directory, effectively hijacking the authentication flow that the application expects to use for legitimate network operations.
The operational impact of this vulnerability extends beyond simple credential theft to enable sophisticated attack vectors including SMB relay attacks and credential harvesting. An attacker who successfully registers the PLUG-INS subdomain can intercept NTLM authentication requests that the application generates, potentially capturing hashes that can then be used for lateral movement within the network. This vulnerability operates within the ATT&CK framework under the T1078 technique for Valid Accounts and T1550 for Use of Network Protocols, specifically targeting the SMB protocol for credential relay attacks. The attack can be initiated through multiple vectors including direct product execution, integration with web browsers like Chrome and Firefox, or through office applications such as Microsoft Word and Outlook, making it particularly challenging to defend against as it can be triggered through normal user activities.
Mitigation strategies for this vulnerability require immediate remediation through software updates to the affected versions, specifically implementing patches released by Druide that address the improper network share access behavior. Organizations should also implement network-level controls including DNS filtering to prevent unauthorized registration of conflicting subdomain names, and monitor for suspicious authentication patterns that may indicate credential harvesting attempts. The implementation of network segmentation and the use of tools such as Microsoft's Credential Guard can help protect against the exploitation of captured hashes. Additionally, security teams should consider implementing network monitoring solutions that can detect and alert on unusual network share access patterns, particularly those involving the PLUG-INS subdomain naming convention. Organizations should also conduct comprehensive vulnerability assessments to identify other applications that may exhibit similar behaviors and implement consistent network naming conventions to prevent future conflicts with Active Directory services.