Researcher Claims N-able Workgroup Guideline Exposes MSPs to Security Risk
… Word, Excel and SharePoint, Carr said.
“You won’t find an organization that doesn’t run those,” he said. “When you couple this with the fact that most organizations have a very slow patch cycle – we’re talking about 30, 60 or 90 days, sometimes even just yearly or just before they get an audit – it’s not difficult to imagine that someone can get that access.”
Even if an organization is good at patching, there could be a remote office that doesn’t patch very often, Carr said.
“So using one of these, you’re going to get your remote code access,” he said. “Thanks to the work that N-Able has asked you to do on the attacker’s behalf, you’re in ‘god mode.’ There is nothing you couldn’t do. You would absolutely be able to operate completely undetectable. It’s a horrible place for a company to be.”
N-able is asking MSPs to allow all inbound files, and malware comes in the form of a file, Carr said.
“Your domain controller is the absolute root of all of your identity and access management,” he said. “So to put this simply, what that means is that as an attacker, I’ve come onto the system, I’ve disabled N-Able, I’m now a domain administrator, and I can extract every single username and password, and email of all your staff that work in your organization. If you keep customer information in your domain controller, I’ve got that, too. The level of access I’ve got means I can move malware in and out of that environment freely and undetected. And given the level of access, there is no protection.”
N-able Responds
Pope said from a practical, day-to-day perspective when dealing with Workgroup computers, the use of N-central probes should really be off the table as a recommended method of deployment for the obvious security reasons listed by Fundamental Cyber.
“When working with Workgroup computers, the only secure option is to install agents individually on endpoints to bring them under management,” he said. “Yes, this will involve labor and time, but it’s the same amount of effort to touch the individual endpoints, and add the required administrator account and credentials so you can deploy via probe as it is to just install the N-central agent on the individual endpoints. This isn’t a unique problem for N-central. All remote monitoring and management (RMM) solutions and AD enrollment will face the same challenge with Workgroup computers. At some point, someone will have to touch a device to enroll it in AD or an RMM solution if it is not already under management by some type of platform.”
With regards to the UAC, the requirement to disable was an error. N-able says it will update its support page to remove that requirement.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
- Page 1
- Page 2