MS15-011 & MS15-014

A whole host of vulnerabilities have been patched in the latest Microsoft Patch Tuesday release which has a number of critical vulnerabilities that you really need to pay attention to, they are MS15-011 and MS15-014 as these two patches require you to make additional changes after you have implemented them on your systems and they affect Group Policy.

This is another vulnerability that has been out there for over a decade, 15-years to be correct. It affects all PC’s running all supported versions of Windows. It will however remain unpatched in Windows Server 2003 which support will be ending for soon, Microsoft however decided not to patch it even though it should have an extra five months of support. The attack is theoretical but you should patch and reboot as soon as you can even if you are not affected by these vulnerabilities.

MS15-011 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by improving how domain-configured systems connect to domain controllers prior to Group Policy accepting configuration data. For more information about the vulnerability, see the Vulnerability Information section.

To be protected from the vulnerability described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update. For more information about this update, see Microsoft Knowledge Base Article 3000483.

 

MS15-014 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker, by way of a man-in-the-middle attack, causes the Group Policy Security Configuration Engine policy file on a targeted system to become corrupted or otherwise unreadable. This results in the Group Policy settings on the system to revert to their default, and potentially less secure, state.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how Group Policy settings are applied when the Security Configuration Engine policy file is corrupted or otherwise unreadable. For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3004361.

So what does this mean to me if I don’t patch it?

Well you will then be an easy target as outlined in the diagram below:

MS15-011 & MS15-014 - Attack Diagram

MS15-011 & MS15-014 – Attack Diagram

In the above attack scenario, an attacker is trying to make changes to a shared network switch in a public place (eg free Wi-Fi) and can direct the client traffic to an attacker-controlled system via a MITM attack.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.23\Share\Login.bat .
  2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
    1. The attacker then crafts a malicious payload into Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
  3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.23 is now routed through to the attacker’s machine.
  4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.
  5. This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.

Ok I patched my systems now what?

Visit the microsoft support article and enable UNC hardening in Group Policy your will be still exploitable after the updates have been installed.

References:

https://technet.microsoft.com/en-us/library/security/ms15-011.aspx

https://technet.microsoft.com/en-us/library/security/ms15-014.aspx

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

http://support.microsoft.com/kb/3000483

https://support.microsoft.com/kb/3004361

 

Leave a Reply