Domain Time II is a software used by the largest enterprises such as NASDAQ, Experian, Raytheon, SpaceX, Verizon, Microsoft, HP, AMD, and many (many) more. The purpose of this software is to synchronize time across networks and computers, which is something so basic to the functionality of our infrastructure that without it even Zuckerberg would not be able to log into Facebook (quite literally).

Researchers have disclosed today that they have found a vulnerability in the update mechanism of Domain Time II that would allow for Man-On-The-Side attack. (MotS)

If you do not know what that is, it is a little bit like a Man-In-The-Middle attack but without any capability to change the packets as they go by.

If you don’t know what a MitM attack is, that is when an attacker virtually sits between you and the server you are connecting to and captures what you send, change it, and send it to the server, and does the same with whatever packets the server may be sending to you.

In a MotS attack, the attacker only can view what is being passed around. But then they can make and send out their own wizardry to control your network 100%.

Since TD2 runs with administrative privileges, any attacker that gets to manipulate the update session can have access as an admin to the entire network!

Adam Nichols, security researcher and the principal software application security at the cybersecurity firm GRIMM, said he was able to confirm the vulnerability in versions of Domain Time II released as far back as 2007 — version 4.1.b.20070308.

GRIMM notified the company that provides DT2 on March 30^th, and they released an update to mitigate that vulnerability on the 31^st. Which is good news so far.

However, and just yesterday, GRIMM who discovered the vulnerability have published their exploit code on their GitHub repository for all to see. So now we have a vulnerability that affects almost everything we know, and the whole world has the exact code to exploit it.

For the attack to succeed the attacker needs to be already on the target network; for now. But we all know how easy it is to bet on a network someplace. Even accessing a connected smart doorbell would be enough for a hacker to be a danger to everything on the network.

To put things in perspective, here is a list of some of the companies who use Domain Time II.

Impact

The expected deployment scenario for this software is that the Domain Time II Server is installed on the Domain Controller within an Active Directory forest, and that the Update Server component would be run from such a machine (see “admin.txt” in the Domain Time II install bundle).

As such, the impact of successfully executing a MotS attack against a server would be to execute malware with administrative privileges in the context of the server. Since the Domain Time II server can track and update versions of the client software across the network, compromising the server could lead to attackers being able to spread laterally across a network to workstations, database servers, or source code repositories. All this could be performed under the guise of legitimate administration tasks of recognized software, similar to how some recent intrusions hid their activity on a network under the guise of Solar Winds software activity.

It is also possible that any user running the client software could infect themselves with malware, regardless of whether they are in a standalone client or domain setting, though in a domain setting the malware may be limited to domain user permissions.

Affected software

Since Domain Time II is closed-source software, it is difficult to generate an exact list of impacted versions. GRIMM was able to obtain evaluation copies of the following three versions of Domain Time II: 5.2.b.20210103, 5.1.b.20100731 (released in 2010), and 4.1.b.20070308 (released in 2007). Through static analysis of the software installed by these installers, GRIMM was able to confirm that the vulnerability exists in all three versions of Domain Time II. As such, it is reasonable to believe that the vulnerability affects all versions of Domain Time II released after 4.1.b20070308. It is possible that the vulnerability exists prior to this version, but GRIMM was unable to source earlier versions of the software. A fix for this vulnerability was released in version 5.2.b.20210331.

Conclusions

This blog post details a MotS attack that allows attackers to potentially gain code execution on machines running versions of Domain Time II that date back at least ten years. The crux of this vulnerability lies in the lack of authentication between Domain Time II servers and clients, and external Greyware update servers. If an attacker is able to detect outgoing update requests and respond to them before the legitimate Greyware servers do, then said attacker can direct users to download executable code from attacker-controlled servers. A combination of privilege reduction (e.g. only allowing Domain Time II servers to call out for external updates) and better user training (e.g. create documentation on secure update procedures) poses significant mitigation to this, and similar, vulnerabilities.