Quantify Cyber Risk Now

header ads

Patching Group Policy Remote Code Execution for MS15-011 | Lucideus

General Information
A Remote Code Execution vulnerability in the Group policy implementation is due to how the Group Policy service manages policy data when a domain-joined host links to a domain controller

The way Group Policy receives and applies policy data causes a remote code execution vulnerability, when a system joined in a domain connects to a domain controller. A threat actor exploits this vulnerability by convincing a victim of a domain-configured system to connect to an attacker-controlled network

A threat actor who successfully exploited this vulnerability could take complete control of an affected system and then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by improving how domain-joined systems connect to domain controllers before Group Policy accepting configuration data.

Exhibit 1 shows the CVE details of MS15-011
Exhibit 1
It is recommended to apply the Security update in accordance to the KB3000483. It is also advisable to change the value of Hardened UNC path as mentioned in the below table, depending upon the GPO requirements.

UNC path
Effective UNC Hardening configuration
RequireMutualAuthentication=1, RequireIntegrity=0
RequireMutualAuthentication=1, RequireIntegrity=1
RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1

Exhibit 2 shows the path in Group Policy where above point needs to be configured.
Exhibit 2

Remediation Steps:- 
To enable UNC Hardened Access through Group Policy:

* Open Group Policy Management Console.
* In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.
* Forest name/Domains/<Domain name>
* (Optional) Right-click Group Policy Objects, and then click New.
* Type the desired name for the new GPO.
* Right-click the desired GPO, and then click Edit.
* In the Group Policy Object Editor console, browse to the following policy path:
* Computer Configuration/Administrative Templates/Network/Network Provider
* Right-click the Hardened UNC Paths setting, and then click Edit.
* Select the Enabled option button.
* In the Options pane, scroll down, and then click Show.
* Add one or more configuration entries. to do this, follow these steps:
* In the Value Name column, type the UNC path that you want to configure. The UNC  path may be specified in one of the following forms:
\<Server>\<Share> - The configuration entry applies to the share that has the specified name on the specified server.
\\*\<Share> - The configuration entry applies to the share that has the specified name on any server.
\\<Server>\* - The configuration entry applies to any share on the specified server.
\\<Server> - The same as \\<Server>\*

* Note A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.
* In the Value column, type the name of the security property to configure (for example, type *RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.
* Note Multiple properties may be assigned for a single UNC path by separating each "<Property> = <Value>" pair by using a comma (,).
* If the organization is not able to apply the above mentioned remediation steps due to 
internal dependencies below are the points which must be implemented as a work around.

Minimum recommended configuration for domain-joined computers.
It is recommend that all NETLOGON and SYSVOL shares be configured to require both mutual authentication and integrity in order to help secure Group Policy against spoofing and tampering attacks that can be leveraged to achieve remote code execution.

Value name
RequireMutualAuthentication=1, RequireIntegrity=1
RequireMutualAuthentication=1, RequireIntegrity=1

Exhibit 3 shows the configuration of NETLOGON and SYSVOL in Hardened UNC path.
Exhibit 3
Few contents of the blog has been taken from the references listed below:


Post a comment