Enterprises that support remote workers need to prioritize a Microsoft security bulletin released yesterday that addresses a critical vulnerability in Group Policy.
The vulnerability exposes Windows machines, all the way back to Windows Server 2003, to man-in-the-middle attacks and remote code execution. Setting off more alarm bells was news that Microsoft was required to do some re-engineering of Windows components in order to rectify the situation, which was reported to Redmond 13 months ago.
JAS Global Advisors, a Chicago-based consultancy, and simMachines, an analytics firm in St. Louis, found the bug while working on a project for ICANN looking into security issues surrounding the release of new generic Top Level Domains and Top Level Domains. The Group Policy issue was discovered during the research phase of this project, but is unrelated to new gTLDs or TLDs, the company said.
JAS, which dubbed the vulnerability Jasbug, said the issue is complicated because unlike some of the Internet-wide bugs that surfaced in 2014, this one is related to software design rather than implementation.
“The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects,” JAS said in an advisory published yesterday. “Additionally, documentation and other communication with IT systems administrators describing the changes were needed.”
Microsoft patched the vulnerability yesterday as part of its monthly Patch Tuesday security bulletin release cycle. The patch is covered in two bulletins, MS15-011 and MS15-014, which the bulletins addressing remote code execution and a security feature bypass respectively.
“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” JAS said. “Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.”
-Jeff Schmidt, JAS
JAS said that computers connecting over a virtual private network should be immune to compromise. Further mitigating the risk, JAS said, is that a number of scenarios have to be in place for exploits to work.
“It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” the JAS advisory said. “We will release the specifics of the other attack scenarios we’re aware of at some future point, but for now it’s important that folks patch and not become complacent because of a perceived on-LAN requirement. It’s not a strict requirement. Go patch.”
Jeff Schmidt, CEO of JAS, said there are two issues conspiring against Windows users with these vulnerabilities. For remote users, Schmidt discovered that some cryptographic checks around authentication were not happening properly behind the scenes. He said Windows machines trust that a remote host is what it claims to be without performing a cryptographic authentication, setting the table for man-in-the-middle attacks.
“Not only are Windows clients too trusting of the responses they get back from DNS, they can also be fairly easily tricked into downgrading to unauthenticated and unencrypted transit protocols (like WebDav over http),” he said.
Microsoft rolled out a new feature to address the vulnerabilities called UNC Hardened Access, which ensures the right authentication and in-transit encryption is carried out.
“Instead of being subject to the OS “trying too hard” to make communication work, the UNC infrastructure within Windows now allows the higher layer resource requestor to specify whether Mutual Authentication, Integrity, and/or Privacy are required for the communication,” Schmidt said. “This is the right, general-purpose solution to this problem.”
Microsoft rolled out a new feature to address the Group Policy vulnerabilities called UNC Hardened Access. via @ThreatpostTweet
Schmidt said there is an outstanding issue that Microsoft has not addressed wherein Active Directory clients could leak DNS requests to the open Internet. The Internet’s DNS infrastructure, he said, will try to resolve those queries as it would any other and provide pointers to the right sources, rather than a result from the local AD controller for an enterprise domain, for example. He said during JAS’ research, more than 200,000 AD reached out to JAS via a series of customized DNS registrations.
“Microsoft did not address ‘query leakage’ or Active Directory naming problems as related to the global Internet DNS in this round of patches,” Schmidt said. “However, if UNC Hardened Access is enabled, at least in theory even leaked queries would not result in an exploitable situation because the strong authentication step is still required providing cryptographic proof that the client is talking to the server it thinks it is. So even if these queries make it out to the Internet, no harm done.”