Vulnerability in time-syncing software puts a ton of corporate networks at risk

Security researchers have disclosed this week a vulnerability in the update mechanism of Domain Time II, one of the world's most popular software packages, used for time management and time syncing operations inside some of the world's largest corporations.

The vulnerability was discovered by Adam Nichols, Principal for Software Application Security at cybersecurity firm GRIMM.

In a blog post this week, Nichols said he discovered that the Domain Time II software was vulnerable to Man-on-the-Side (MotS) attacks.

MotS attacks are similar to the more well-known Man-in-the-Middle (MitM). The difference is that while in a MitM attack, the threat actor can tamper with the victim's network traffic, during a MotS scenario, the attacker can only observe the traffic and then issue malformed responses before the real ones are returned.

This is exactly what Nichols discovered, who said in a blog post on Tuesday that threat actors with access to a victim's network traffic could use a MotS attack to determine when the Domain Time II software was initiating an update and then respond with malicious update instructions that showed prompts to network administrators, luring them on fake sites from where they could download malware instead of a legitimate update.

Nichols said he was able to confirm the vulnerability in versions of Domain Time II released as far back as 2007 — version 4.1.b.20070308.

Some of the world's largest companies use Domain Time II

Since any Domain Time II update package is installed using admin privileges, the GRIMM exec warns that the vulnerability could be abused to take full control of servers and not just the app itself.

Just to be clear, we're not talking about an attacker just taking over the time software, we're talking they get control of the entire computer. Anything the user could so, the malware could do. The impact is far greater than merely changing timestamps. https://t.co/gRb9Pnhe3X

— ☣Adam (@AdamOfDc949) April 7, 2021

But while exploiting the bug might be a challenge for attackers due to the requirement to view and reply to a victim's network traffic, which most likely means attackers need a foothold on a company's network, the payouts are immense and well worth the effort.

The reason is that Domain Time II is one of the most widely used software applications today, with a big customer base in almost all industry sectors.

The software is used to manage and synchronize times across workstations and server fleets, a technical problem that has plagued IT departments since the dawn of computers in the early 70s.

Today, many of the world's largest corporations use Domain Time II to address time synchronization issues inside both their internal networks and for public-facing services. According to the software's customer list page, Domain Time II is used by a list of who's who names, such as NASDAQ, Experian, Raytheon, SpaceX, Verizon, Microsoft, HP, AMD, and many more.

Greyware: Updates are out!

The Record contacted Greyware Automation Products, the company behind Domain Time II, earlier today, seeking to confirm that the issue was addressed.

"We were notified by GRIMM on 30 March 2021," Jeffry Dwight, Greyware Automation Products President, told The Record in an email.

"We considered the vulnerability [report] to be accurate, although somewhat contrived. We thanked GRIMM for the notification, and released an upgrade that prevents this exploit on 31 March 2021."

"Credit to GRIMM was given in the release notes, and we made the new version a 'recommended' upgrade. To prevent the exploit, all customers need to do is upgrade," the Greyware President said.

Dwight also detailed the company's fixes to The Record below:

For versions of Windows before Windows 7/Server 2008r2, we validate that the response directs to https://www.greyware.com, and check source and reply-from addresses. This prevents a spoofed look-alike site from validating, since only https://www.greyware.com has an SSL certificate that indicates it is Greyware. If the reply-from address does not match the sent-to address, we report an error and direct customers to visit https://www.greyware.com/ directly to obtain an update.

For all versions of Windows equal to or greater than Windows 7/Server 2008r2, we first check the SSL certificate to make sure update.greyware.com really belongs to Greyware, and then perform the rest of the validation. Very old versions of Windows do not have SSL support to check the certificate. If the certificate check does not pass, we report an error and do not perform the check-for-update function.

Jeffry Dwight, Greyware Automation Products President

"GRIMM's response to our mitigation method was positive, indicating they believed it would solve the problem," Dwight said.

Companies who use Domain Tools II inside their networks are advised to update to v5.2.b.20210331. However, if companies will install these updates remains an issue of its own, as some organizations will always lag behind when it comes to patching old software.