Dynatrace OneAgent NTLM Relay Vulnerability on Windows
Vulnerability
A vulnerability exists in Dynatrace OneAgent for Windows, prior to version 1.325.47, allowing unprivileged attackers to perform NTLM relay attacks. When OneAgent attempts to access a remote network share and encounters a 'STATUS_LOGON_FAILURE' error, it retrieves all user tokens from the machine and repeatedly tries to access the share while impersonating those users. This behavior can be exploited by an attacker with access to the affected system.
Impact
Exploitation allows for NTLM relay attacks, where an attacker can intercept and relay NTLM authentication requests to gain unauthorized access to resources or services.
Reproduction
To reproduce this vulnerability, install Dynatrace OneAgent on a Windows machine. Attempt to access a remote network share, and when a 'STATUS_LOGON_FAILURE' error is received, OneAgent will start retrieving user tokens from the machine. It will then attempt to access the network share again, this time impersonating the users whose tokens were retrieved. This process can be repeated, effectively relaying NTLM authentication requests.
Remediation
Users should update Dynatrace OneAgent for Windows to version 1.325.47 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.