Vulnerability Note VU#787252

Microsoft Windows domain-configured client Group Policy fails to authenticate servers

Original Release date: 13 Feb 2015 | Last revised: 13 Feb 2015

Overview

Microsoft Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths.

Description

Microsoft has released MS15-011, detailing a critical flaw in which Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths. Upon connecting to a network, Group Policy runs logon scripts to receive and apply policy data from a domain controller. By joining an attacker-controlled network, the vulnerable system will execute attacker-provided scripts since the server is not required to authenticate itself. Because of the way that the Multiple UNC Provider (MUP) iterates through UNC providers to establish a connection to the domain controller, the vulnerability may be remotely exploitable when a UNC path is resolved over the Internet.

For more detailed information, visit Microsoft's blog about hardening Group Policy and JAS's JASBUG Fact Sheet.

Impact

A remote, unauthenticated attacker may execute arbitrary code and completely compromise vulnerable systems.

Solution

Apply an update and configure Group Policy settings

In addition to applying an update, administrators need to configure additional Group Policy settings in order to protect against the vulnerability.

Note that in addition to the unsupported Windows XP and 2000, Windows Server 2003 will not be receiving an update to address this vulnerability despite being a supported operating system. Furthermore, Microsoft has not identified any workarounds or mitigations, recommending that security-conscious users upgrade their operating systems.

Vendor Information (Learn More)

Many versions of Microsoft Windows operating systems are confirmed vulnerable, including:

    • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
    • Microsoft Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2

Unsupported operating systems such as Microsoft Windows XP and 2000 may also be affected.

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-12 Feb 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 8.5 CDP:LM/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Microsoft credits Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, and the Internet Corporation for Assigned Names and Numbers (ICANN) with discovering this issue.

This document was written by Joel Land.

Other Information

  • CVE IDs: CVE-2015-0008
  • Date Public: 13 Feb 2015
  • Date First Published: 13 Feb 2015
  • Date Last Updated: 13 Feb 2015
  • Document Revision: 20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.