While this has proven to be n interesting month with the Factoring RSA Export Keys (FREAK) technique affecting a plethora of Operating Systems, Microsoft has also issued an update to address a privately reported vulnerability in NETLOGON.
About the vulnerability
A spoofing vulnerability exists in NETLOGON that is caused when the NETLOGON service improperly establishes a secure communications channel belonging to a different machine with a spoofed computer name. To successfully exploit this vulnerability, an attacker would first have to be logged on to a domain-joined device and be able to observe network traffic. An attacker could then run a specially crafted application that could establish a secure channel connection belonging to a different device. An attacker may be able to use the established secure channel to obtain session-related information for the actual secure channel of the spoofed computer.
Domain-joined workstations and servers are primarily at risk from this vulnerability.
Update KB3002657 addresses the vulnerability by modifying the way that NETLOGON handles establishing secure channels.
This update is applicable on Windows Server installations configured as Active Directory Domain Controllers. It is suggested, however, that the update be applied to all affected Windows Server so that they are protected if they are promoted to Domain Controllers in the future.
Affected Operating Systems
All Windows and Windows Server Operating Systems currently in support by Microsoft are affected by the vulnerability. Therefore, Microsoft has released a security update to resolve the vulnerability for:
- Windows Vista with Service Pack 2
- Windows Vista x64 with Service Pack 2
- Windows 7 with Service Pack 1
- Windows 7 x64 with Service Pack 1
- Windows 8
- Windows 8 x64
- Windows 8.1
- Windows 8.1 x64
- Windows RT
- Windows RT 8.1
- Windows Server 2003 with Service Pack 2
- Windows Server 2003 x64 with Service Pack 2
- Windows Server 2003 for Itanium-based Systems with Service Pack 2
- Windows Server 2008 with Service Pack 2
- Windows Server 2008 x64 with Service Pack 2
- Windows Server 2008 for Itanium-based Systems with Service Pack 2
- Windows Server 2008 R2
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2012
- Windows Server 2012 R2
Call to action
Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3002657 on Domain Controllers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Domain Controllers and Domain Controller candidates in the production environment.
After you install this security update, you cannot access data on EMC Isilon clusters.