It was recently found out by researchers at GRIMM that a remote code execution (RCE) vulnerability allowed attackers to hijack the update process of a Windows time synchronization software product by exploiting a man-on-the-side (MotS) vulnerability.
The researchers have then started to warn security experts to be on the lookout for any disruption as the time synchronization software could easily make it virtually impossible to track a security incident, as well as any further damage to the business. The vulnerability could also affect financial transactions.
Contrary to a man-in-the-middle (MitM) attack that allows the attackers to read and modify network traffic between two endpoints, a MotS attack only lets the hackers read that traffic. Yet, these attacks are still dangerous as criminals can insert malware into the update process. By doing so, they can trick a user into downloading and executing an attacker-controlled payload and making them believe that it is a routine software update.
Although the attackers can’t manipulate the data exchanged between a local install and the update server, they can send out their own responses and race the legitimate traffic. If the attacker wins the race, then the local install will open a browser window and drive it to a URL given by the attacker.
The researchers also stated that the vulnerability was discovered through GRIMM’s Private Vulnerability Disclosure (PVD) program. Hence, they declared that working time sync is essential and needs to be in place and maintained in order to enable a cybersecurity workflow. For this particular scenario, it’s rather dangerous as the vulnerability allows the download and execution of malicious files.