Vulnerabilities in Group Policy could allow security policy bypassing (MS15-011, MS15-014, CVE-2015-0008, CVE-2015-0009)

Reading Time: 4 minutes

For its February 2015 Patch Tuesday on Tuesday February 10, Microsoft has released two security bulletin to address issues in Group Policy that would allow an attacker using a Man-in-the-middle (MitM) approach to bypass security policies, by forging packets sent by Domain Controllers.

 

The situation

In many organizations, Group Policies are used to centrally configure settings, printers, drivers and software.

These settings and preferences can be applied locally using gpedit.msc and secpol.msc. However, settings and preferences can also be set centrally using Active Directory on the site, domain and even granularly per Organizational Unit (OU). Tools used are gpmc.msc and, again, gpedit.msc. For non-domain-joined devices, the Security Configuration Manager (SCM) Solutions Accelerator and Offline Domain Join (ODJ) can be used to configure settings.

Responsible for applying security settings from both the local computer security policy and Group Policy objects on a device, is the Security Configuration Engine. It receives and applies the policy data in policy files and makes sure they get applied.

 

The issues

Multiple issues exist with Group Policy that can be used to cause undesired behavior:

MS15-011

First, an issue has been identified in the way how the Security Configuration Engine picks up Group Policy.

By default, the Security Configuration Engine on domain-joined devices automatically downloads security settings in updated Group Policy Objects (GPOs) from SYSVOL, which the scecli.dll part of the Security Configuration Engine discovers and accesses using the Universal Naming Convention (UNC) paths.

An attacker may spoof, tamper with, or redirect communications between the UNC provider and devices, and subsequently may be able to cause Group Policy to execute his or her programs or scripts. A common attack vector for this would be for an attacker to introduce a rogue Wi-Fi access point connected to the corporate wired network, optionally configured with the same SSID as the corporate Wi-Fi.

MS15-014

A second vulnerability exists whereby Group Policy could fail to retrieve valid security policy settings, because one or more Security Configuration Engine configuration files (gpttmpl.inf per Group Policy Object, configured with security settings) are corrupted or otherwise unreadable when they are interpreted by the scesrv.dll part of the Security Configuration Engine.

An attacker can achieve this by modifying the responses sent by Active Directory Domain Controllers with a Man-in-the-Middle (MitM) approach. The behavior of the Group Policy Security Configuration Engine, then, is to apply default, potentially less secure, group policy settings, instead of the domain-configured settings.

 

The solutions

MS15-011

Microsoft introduces UNC Hardened Access to address this vulnerability. This is a new Windows feature, that provides mitigations against Man-in-the-Middle attacks for any UNC paths that host executable programs, script files or files that control security policies and improves the protection and handling of data when Windows-based devices access UNC paths.

UNC Hardened Access is available  as KB3000483. It is accompanied by KB30004375, which is installed transparently with KB3000483. It is rated as a critical update for all supported versions of Windows and Windows Server. An update is currently not available for Windows Server 2003. This lack of support means there is no way to ensure mutual authentication and Server Message Block (SMB) Signing are actually enforced when Windows Server 2003-based Domain Controllers are in use. (However, default settings on Windows Server 2003-based Domain Controllers are to require SMB Signing.) Additionally, domain-joined Windows Server 2003-installations can not be configured with UNC Hardened Access.

MS15-014

An update is available from Microsoft that address this vulnerability, by correcting how Group Policy settings are applied when a Group Policy Security Configuration Engine policy file is corrupted or otherwise unreadable.

This update is available as KB3004361 and is rated as an important update for all supported versions of Windows and Windows Server. An update is also available for Windows Server 2003.

 

Call to Action

MS15-011

To introduce UNC Hardened Access and protect against UNC-based Man-in-the-Middle (MitM) attacks, install KB3000483. Then, in a Group Policy scoped for devices with the update, configure UNC Hardened Access in Computer Configuration, Administrative Templates, Network, Network Provider. Enable the Hardened UNC Path setting.

Behind the Show… button, define shares and their UNC Hardened Access behaviors:

Show Contents for UNC Hardened Access in Group Policy

RequireMutualAuthentication enforces Kerberos-based mutual authentication. RequireIntegrity and RequirePrivacy turn on SMB Signing.

Test both the update and the configuration in a test environment, to assess the risk and possible impact on your production environment and then, roll out this update to all devices within scope. After that, configure the additional Group Policy Settings.

MS15-014

Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3004361 in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all devices within the Active Directory environment.

 

Related Knowledgebase articles

3000483 MS15-011: Vulnerability in Group Policy could allow remote code execution
3004361 MS15-014: Vulnerability in Group Policy could allow security feature bypass
887429 Overview of Server Message Block signing

Further reading

MS15-011 Vulnerability in Group Policy Could Allow Remote Code Execution
MS15-014 Vulnerability in Group Policy Could Allow Security Feature Bypass
MS15-011 & MS15-014: Hardening Group Policy
Security Configuration Engine Architecture

10 Responses to Vulnerabilities in Group Policy could allow security policy bypassing (MS15-011, MS15-014, CVE-2015-0008, CVE-2015-0009)

  1.  

    After applying KB3004375, KB3031432, KB3000483, and KB3000483, there is no "Network Provider" section in the GPO settings (nor any UNC Hardened Access settings).

    Is there some other step that I'm missing? I'm running Server 2012 (not R2)

  2. KB3000483 adds the feature to the Windows client and Windows Server installations within scope.

    You'll find the file networkprovider.admx (and its corresponding adml file in the folder and locale of your language, for instance 'en-us') on these systems. Copy these files to the same location on the Windows device you use to manage Group Policy, or place the files in the Group Policy Central Store on your Domain Controllers.

     
  3.  

    What happens if a DC has the patch and gpo, but the client does not? Will it cause a failure to connect?

  4. KB3000483 needs to be installed on Windows client devices and Windows Server installations used to access shared folders through UNC paths. UNC Hardened Access settings govern the client settings (even when these clients are Windows Server installations) to access servers.

    When you want RequireMutualAuthentication and RequireIntegrity and/or RequirePrivacy, then both the Windows client or Windows Server used to access Shared Folders via UNC Paths and the server hosting the Shared Folders need to be updated with KB3000483.

     
  5.  

    I am curious as to the registry keys that are modified by these patches and what are the expected values. I am attempting to build a PowerShell script that will check a list of machines piped in from a file and have it validate the expected registry values are set correctly for the GPO and SMB version 1, 2, and 3.

  6.  

    Great post. The registry settings are here: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths

  7.  

    Will this GPO have an impact on production DFS Shares ? and other shares

    • Yes, depending on the settings you specify per share, you raise the security level of the share. Some older and/or poorly written applications may not support SMB signing and/or Kerberos-based mutual authentication. These applications will break.

       
  8.  

    I was just trying to wrap my head around this and, according to the Microsoft document regarding this issue, they recommend NETLOGON and SYSVOL be protected with the hardening method.

    My issue is how to effectively test. The only way I can think of is that it would have to be against an actual domain controller and a domain joined client.

    • Hi Tyson,

      The only effective test would be with at least one Active Directory Domain Controller and each of the types of domain-joined clients (desktops, laptops, specials) in a separate test environment. You can create such an environment by restoring a backup of a Domain Controller to a virtual machine in a strictly separated networking environment. Veeam's SureBackup and Microsoft's Azure Site Recovery Services both offer the functionality to create an environment that fulfills the latter requirement.

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.