Security Thoughts: Vulnerability in Netlogon could allow remote code execution (MS16-076, KB3167691, CVE-2016-3228)

Reading Time: 2 minutes

Yesterday, Microsoft released update 3167691 as part of its June 2016 Patch Tuesday to address an important vulnerability in Windows Server’s Netlogon functionality, allowing remote code execution on all supported Windows Server versions.

About the vulnerability

A vulnerability has been detected, that could allow remote code execution if an attacker with access to a Windows Server Active Directory Domain Controller (DC) on a target network runs a specially crafted application to establish a secure channel to the Domain Controller as a replica Domain Controller.

About the update

The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels.

Affected Operating Systems

All supported Microsoft Windows Server Operating System versions are affected by this vulnerability:

  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2008 Service Pack 2

KB3162343 addresses the vulnerability on Windows Server 2012 R2.

KB3161561 addresses the vulnerability on Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. KB3161561 is also denoted in MS16-075, due to the way fixes for vulnerabilities affecting particular products are consolidated. KB3161561 replaces KB3101246.

This security update is rated Important for all supported releases of Microsoft Windows.
A system restart is required after you apply this security update.

Mitigating factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities.

 

Call to action

Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3161561 and/or KB3161561 on Domain Controllers in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Domain Controllers in the production environment.

Related KnowledgeBase articles

3167691 MS16-076: Security update for Netlogon: June 14, 2016

One Response to Security Thoughts: Vulnerability in Netlogon could allow remote code execution (MS16-076, KB3167691, CVE-2016-3228)

  1.  

    After installing KB3161561 my DFS File Share Cluster environment stopped working.

    Observed Behavior:
    DFS File Shared Cluster would work for the first 2-3 minutes and stop working.

    After uninstalling KB3161561 from the DFS File Share Cluster Environment, drive mappings were instantly available.

    Now, I need to uninstall the KB3161561 from our production environment

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.