Security Thoughts: Vulnerability in NETLOGON cloud allow spoofing (MS15-027, CVE-2015-0005)

While this has proven to be n interesting month with the Factoring RSA Export Keys (FREAK) technique affecting a plethora of Operating Systems, Microsoft has also issued an update to address a privately reported vulnerability in NETLOGON.

 

About the vulnerability

A spoofing vulnerability exists in NETLOGON that is caused when the NETLOGON service improperly establishes a secure communications channel belonging to a different machine with a spoofed computer name. To successfully exploit this vulnerability, an attacker would first have to be logged on to a domain-joined device and be able to observe network traffic. An attacker could then run a specially crafted application that could establish a secure channel connection belonging to a different device. An attacker may be able to use the established secure channel to obtain session-related information for the actual secure channel of the spoofed computer.

Domain-joined workstations and servers are primarily at risk from this vulnerability.

 

KB3002657

Update KB3002657 addresses the vulnerability by modifying the way that NETLOGON handles establishing secure channels.

This update is applicable on Windows Server installations configured as Active Directory Domain Controllers. It is suggested, however, that the update be applied to all affected Windows Server so that they are protected if they are promoted to Domain Controllers in the future.

Affected Operating Systems

All Windows and Windows Server Operating Systems currently in support by Microsoft are affected by the vulnerability. Therefore, Microsoft has released a security update to resolve the vulnerability for:

  • Windows Vista with Service Pack 2
  • Windows Vista x64 with Service Pack 2
  • Windows 7 with Service Pack 1
  • Windows 7 x64 with Service Pack 1
  • Windows 8
  • Windows 8 x64
  • Windows 8.1
  • Windows 8.1 x64
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2003 with Service Pack 2
  • Windows Server 2003 x64 with Service Pack 2
  • Windows Server 2003 for Itanium-based Systems with Service Pack 2
  • Windows Server 2008 with Service Pack 2
  • Windows Server 2008 x64 with Service Pack 2
  • Windows Server 2008 for Itanium-based Systems with Service Pack 2
  • Windows Server 2008 R2
  • Windows Server 2008 R2 for Itanium-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2

 

Call to action

Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3002657 on Domain Controllers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Domain Controllers and Domain Controller candidates in the production environment.

Known issues

After you install this security update, you cannot access data on EMC Isilon clusters.

Related knowledgebase articles

3002657 MS15-027: Vulnerability in NETLOGON could allow spoofing: March 10, 2015
Microsoft Security Bulletin MS15-027 – Important

2 Responses to Security Thoughts: Vulnerability in NETLOGON cloud allow spoofing (MS15-027, CVE-2015-0005)

  1.  

    This update broke outlook authentication, and access to our internal iis based intranet. After opening a case with MS, we had to remove this from our 2003 domain controllers.

  2. Yes, I have also seen a couple of mentions of this update being suspected of breaking functionality.

     

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.