search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Windows domain-configured client Group Policy fails to authenticate servers

Vulnerability Note VU#787252

Original Release Date: 2015-02-13 | Last Revised: 2015-02-13

Overview

Microsoft Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths.

Description

Microsoft has released MS15-011, detailing a critical flaw in which Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths. Upon connecting to a network, Group Policy runs logon scripts to receive and apply policy data from a domain controller. By joining an attacker-controlled network, the vulnerable system will execute attacker-provided scripts since the server is not required to authenticate itself. Because of the way that the Multiple UNC Provider (MUP) iterates through UNC providers to establish a connection to the domain controller, the vulnerability may be remotely exploitable when a UNC path is resolved over the Internet.

For more detailed information, visit Microsoft's blog about hardening Group Policy and JAS's JASBUG Fact Sheet.

Impact

A remote, unauthenticated attacker may execute arbitrary code and completely compromise vulnerable systems.

Solution

Apply an update and configure Group Policy settings

In addition to applying an update, administrators need to configure additional Group Policy settings in order to protect against the vulnerability.

Note that in addition to the unsupported Windows XP and 2000, Windows Server 2003 will not be receiving an update to address this vulnerability despite being a supported operating system. Furthermore, Microsoft has not identified any workarounds or mitigations, recommending that security-conscious users upgrade their operating systems.

Vendor Information

Many versions of Microsoft Windows operating systems are confirmed vulnerable, including:

      • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
      • Microsoft Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2

Unsupported operating systems such as Microsoft Windows XP and 2000 may also be affected.

787252
Expand all

Microsoft Corporation

Updated:  February 12, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 8.5 CDP:LM/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Microsoft credits Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, and the Internet Corporation for Assigned Names and Numbers (ICANN) with discovering this issue.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-0008
Date Public: 2015-02-13
Date First Published: 2015-02-13
Date Last Updated: 2015-02-13 15:13 UTC
Document Revision: 20

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.