SOLVED

Wrong Network profile assigned resulting in wrong firewall profile

%3CLINGO-SUB%20id%3D%22lingo-sub-287529%22%20slang%3D%22en-US%22%3EWrong%20Network%20profile%20assigned%20resulting%20in%20wrong%20firewall%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287529%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20stumbled%20upon%20an%20issue%20with%20the%20Softnetwork%20disconnection%20of%20Windows%20in%20combination%20with%20the%20Windows%20Defender%20Firewall%20with%20Advanced%20Security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20not%20always%20the%20correct%20network%20profile%20is%20assigned%2C%20and%20hence%20not%20the%20correct%20firewall%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20setup%3A%3C%2FP%3E%3CP%3EWindows%2010%201803%3C%2FP%3E%3CP%3EFirewall%20rules%20deployed%20via%20GPO%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20scenario%2C%20we%20have%202%20types%20of%20connection%3A%20A%204G%20cellular%20connection%2C%20which%20is%20considered%20as%20Public.%20And%20cabled%20network%20via%20ethernet%2C%20which%20is%20internal%20and%20so%20Domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20public%20we%20explicitly%20deny%2Fblock%20RDP%20on%20port%203389%2C%20but%20on%20domain%20we%20allow%20it.%20This%20for%20management%20and%20support%20reasons.%20(Inbound%20rule)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20when%20you%20don't%20explicitly%20disable%20%22soft%20disconnect%22%2C%20which%20is%20an%20added%20value%20to%20windows%20when%20using%20it%2C%20and%20you%20have%20for%20your%20cellular%20connection%20the%20box%20%22let%20windows%20manage%20this%20connection%22%20checked%2C%20it%20seems%20the%20firewall%20isn't%20correctly%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20launch%20your%20machine%2C%20which%20will%20automatically%20connect%20to%20the%20cellular%20network%2C%20and%20the%20Network%20Profile%20%22Public%22%20is%20attributed%20to%20this%20connection%2C%20and%20also%20the%20Firewall%20rules%20for%20this%20profile%20are%20applied.%3C%2FP%3E%3CP%3EThen%20you%20plug-in%20the%20networkcable%2C%20and%20the%20NLA%20services%20will%20detect%20a%20network%20change%20and%20a%20new%20Network%20Profile%20gets%20assigned%3A%20Domain.%20This%20means%20the%20firewall%20rules%20for%20the%20profile%20Domain%20get%20applied...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20al%20good%20and%20well%20you%20would%20say.%20But%20it%20isn't!%3C%2FP%3E%3CP%3EDue%20to%20the%20softconnect%2C%20the%20cellular%20connection%20keeps%20its%20connection%20and%20IP-address%20assigned.%3C%2FP%3E%3CP%3ESince%20now%20the%20firewall%20rules%20for%20the%20profile%20Domain%20are%20applied%2C%20the%20explicitly%20blocked%20port%203389%20is%20exposed%20as%20and%20vulnerable%20on%20this%20public%20connection%2C%20and%20reveals%20itself%20in%20portscans%20on%20this%20public%20internet%20connection.%20This%20also%20results%20in%20active%20attempts%20to%20abuse%20this%20port%2C%20although%20we%20explicitly%20blocked%20it%20on%20the%20profile%20Public.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20me%20this%20seems%20a%20security%20issue%2C%20because%20you%20would%20expect%20the%20firewall%20rules%20for%20the%20profile%20Public%20would%20still%20be%20applied%20on%20this%20kept-alive%20network%20connection...%20But%20it%20isn't...%3C%2FP%3E%3CP%3EThe%20windows%20defender%20firewall%20with%20advanced%20security%20considers%20now%20both%20connection%20to%20be%20the%20same%3A%20Domain....%3C%2FP%3E%3CP%3ESo%2C%20this%20means%20restrictions%20you%20put%20in%20place%20for%20inbound%20or%20outbound%20rules%20on%20the%20public%20network%20profile%20aren't%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20case%20was%20reproduced%20multiple%20times%2C%20and%20all%20traces%20can%20be%20found%20in%20the%20eventlog%20to%20support%20this.%3C%2FP%3E%3CP%3EThis%20doesn't%20seem%20a%20configuration%20issue%20of%20the%20firewall%2C%20since%20when%20only%20having%20this%20public%20cellular%20connection%2C%20the%20connection%20attempts%20on%20port%203389%20are%20blocked.%20When%20having%20the%20network%20%2B%20cellular%20connection%2C%20connection%20attempts%20on%203389%20aren't%20block%20anymore.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302752%22%20slang%3D%22en-US%22%3ERe%3A%20Wrong%20Network%20profile%20assigned%20resulting%20in%20wrong%20firewall%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302752%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20who%20don't%20understand%20the%20severity%2C%20this%20not%20only%20means%20for%20RDP!%20If%20you%20block%20for%20example%20SMB%20or%20WMI%20on%20public%20internet%2C%20but%20not%20on%20your%20domain%20network%2C%20your%20machines%20are%20also%20exposed%20to%20those%20protocols%2Fservices%20on%20the%20public%20internet!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20this%20%22bug%22%20is%20exploited%20with%20valid%20credentials%2C%20it%20goes%20undetected!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-414003%22%20slang%3D%22en-US%22%3ERe%3A%20Wrong%20Network%20profile%20assigned%20resulting%20in%20wrong%20firewall%20profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-414003%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20one%20is%20patched%20now%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2019-0637%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2019-0637%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

I stumbled upon an issue with the Softnetwork disconnection of Windows in combination with the Windows Defender Firewall with Advanced Security.

 

It seems not always the correct network profile is assigned, and hence not the correct firewall rules.

 

The setup:

Windows 10 1803

Firewall rules deployed via GPO

 

In this scenario, we have 2 types of connection: A 4G cellular connection, which is considered as Public. And cabled network via ethernet, which is internal and so Domain.

 

On public we explicitly deny/block RDP on port 3389, but on domain we allow it. This for management and support reasons. (Inbound rule)

 

Now, when you don't explicitly disable "soft disconnect", which is an added value to windows when using it, and you have for your cellular connection the box "let windows manage this connection" checked, it seems the firewall isn't correctly working.

 

You launch your machine, which will automatically connect to the cellular network, and the Network Profile "Public" is attributed to this connection, and also the Firewall rules for this profile are applied.

Then you plug-in the networkcable, and the NLA services will detect a network change and a new Network Profile gets assigned: Domain. This means the firewall rules for the profile Domain get applied...

 

Now, al good and well you would say. But it isn't!

Due to the softconnect, the cellular connection keeps its connection and IP-address assigned.

Since now the firewall rules for the profile Domain are applied, the explicitly blocked port 3389 is exposed as and vulnerable on this public connection, and reveals itself in portscans on this public internet connection. This also results in active attempts to abuse this port, although we explicitly blocked it on the profile Public.

 

For me this seems a security issue, because you would expect the firewall rules for the profile Public would still be applied on this kept-alive network connection... But it isn't...

The windows defender firewall with advanced security considers now both connection to be the same: Domain....

So, this means restrictions you put in place for inbound or outbound rules on the public network profile aren't applied.

 

This case was reproduced multiple times, and all traces can be found in the eventlog to support this.

This doesn't seem a configuration issue of the firewall, since when only having this public cellular connection, the connection attempts on port 3389 are blocked. When having the network + cellular connection, connection attempts on 3389 aren't block anymore.

 

 

2 Replies

For those who don't understand the severity, this not only means for RDP! If you block for example SMB or WMI on public internet, but not on your domain network, your machines are also exposed to those protocols/services on the public internet!

 

When this "bug" is exploited with valid credentials, it goes undetected!!