search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement

Vulnerability Note VU#164934

Original Release Date: 2024-12-11 | Last Revised: 2024-12-11

Overview

PDQ Deploy is a service intended for usage by system administrators for the deployment of software or updates to targeted machines within their network. PDQ Deploy uses "run modes" to deploy software to their target devices. The run mode "Deploy User" insecurely creates credentials on the target device. These credentials are deleted from the device following a full deployment of a software file, however, an attacker with access to the target device can compromise these credentials prior to deletion through common password tools such as Mimikatz. These credentials could then be used to gain administrator access on the target device, or to compromise any other device using these credentials that is enrolled through active directory and has previously had software deployed to it by PDQ Deploy.

Description

PDQ Deploy is a service intended for usage by system administrators and others for the deployment of software or updates to targeted machines within their network. PDQ Deploy has various configurations, including automated deployment and availability based deployments. PDQ Deploy also uses various "run modes" to deploy software to their target devices. The "Deploy User" run mode can use a domain or local account with administrator rights on the target computer during the deployment process.

The deployment process is as follows: 1: PDQ Deploy initiates an application deployment. 2: The central server connects to the target device remotely with the "Deploy User" credentials. 3: A local service is created on the device and is run as the selected domain or local user account specified as the deploy user. 4: PDQ follows the application deployment process, installing the requested software. 5: The service is removed from the remote device.

An attacker with access to the device can use a password dumping tool, such as Mimikatz, to dump these credentials during the deployment process, specifically during steps 2 to 4, prior to their deletion. If using a domain user, these credentials created by the Deploy User domain account are static and can be used to compromise any other device that is enrolled in PDQ Deploy through Active Directory sharing this user, allowing for lateral movement.

PDQ Deploy supports other "Run Modes" for use during the deployment process. These run modes alter how credentials are saved on the device. These include the "Local System" deploy mode, in which the service is ran as a Local System account. A Local System account has lower privileges than a domain account, but PDQ Deploy still uses the Deploy User Account to connect to the device and initiate the Local System account, resulting in the vulnerabilities still being present for that user.

Impact

An attacker with access to the PDQ Deploy service and the ability to execute common password tools such as Mimikatz can dump the Deploy User administrator credentials from a device during the deployment process, then use those credentials to either further compromise the current device, or move laterally and compromise other PDQ Deploy enrolled systems on the Active Directory system that share the user and use a domain account. The compromised machine must have been previously deployed to via PDQ Deploy.

Solution

The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability. System administrators could also follow the recommendations outlined in the How-to-Guides listed on the PDQ Deploy website. (https://help.pdq.com/hc/en-us/articles/360033877651-Adding-and-Using-Multiple-Credentials-in-PDQ-Deploy-Inventory) Additionally, alternate deploy modes could be used. The "Logged on User" deploy mode utilizes the active credentials of the device currently logged in to create the necessary services and deploy the requested software.This deploy mode does not create a service with the domain/local credentials, and as such, is an appropriate deployment mode to avoid the vulnerability. It should be noted this Run Mode is only available on the Enterprise mode, and requires user input to complete the deployment of the software.

Acknowledgements

Thanks to the reporter who wishes to remain anonymous. A French source validated and coordinated this vulnerability note and case with CERT/CC. This document was written by Christopher Cullen.

Vendor Information

164934
 
Expand all

PDQ Deploy Affected

Notified:  2024-07-24 Updated: 2024-12-11

Statement Date:   December 09, 2024

VU#164934.1 Affected

Vendor Statement

PDQ is serious about security and recognizes that protecting your organization from threat actors is a complex challenge that often contains contradictory incentives and business priorities.

We build IT automation tools (including a vulnerability scanner) and manage multiple on-prem and cloud-based device management tools that can be used to deploy operating systems, applications, and updates. Keeping your operating systems and applications current with the latest security updates is a constant chore for sysadmins, and any IT automation tool used for this purpose must be able to perform administrative actions on an endpoint in order to complete your task. In the case of PDQ Deploy, which is an on-prem, agentless tool, such automation requires a set of local administrator credentials to securely transmit and perform administrative actions on each endpoint.

Due to long-established and well-understood vulnerabilities in Microsoft Windows that enable credentials in active memory to be extracted (using tools such as Mimikatz), it is important for PDQ Deploy and Inventory users to be aware of this risk and thoughtful about security by following our help center recommendations when selecting credentials: * Use Windows LAPS, which integrates with PDQ Deploy and Inventory, to allow you to use a local administrator user and password that is specific to each endpoint and therefore cannot be used to compromise other endpoints or additional levels of network security. * Respect the principle of least privilege, selecting a set of credentials that have the required permissions to perform the commands you wish to run on the endpoint and no greater permissions beyond that. * Do not use domain administrator credentials unless you are automating actions on a domain controller — and if you must make use of such credentials, use them for this purpose only, using a lower-permission set of credentials for all other deployments, scans, and endpoints.

References


References

Other Information

API URL: VINCE JSON | CSAF
Date Public: 2024-12-11
Date First Published: 2024-12-11
Date Last Updated: 2024-12-11 14:42 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis