Vulnerability has taken about a year to fix

Feb 11, 2015 01:49 GMT  ·  By
Active Directory uses group policies to manage computers of an entire group of users
2 photos
   Active Directory uses group policies to manage computers of an entire group of users

This month’s updates from Microsoft include a fix for a severe vulnerability in the Group Policy component affecting all computers and devices that are part of a corporate Active Directory; the potential impact extends to tens of millions of computer devices since all Windows versions are vulnerable.

The flaw has been dubbed JASBUG by security researchers at JAS Global Advisors who, together with simMachines, provider of similarity-oriented solutions for Advanced Analytics, and ICANN, was involved in the discovery and responsible disclosure of the vulnerability.

The discovery was made during a research from JAS on name collisions within .com domains and other TLDs (top-level domains). It was reported to Microsoft in January 2014 and all parties agreed not to disclose it until a fix would become available or the threat would no longer exist.

“Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail and POODLE, this is a design problem, not an implementation problem, making this type of vulnerability unusual and much more difficult to fix. The fix required Microsoft to re-engineer core components of the operating system and to add several new features,” JAS explained via email.

Jeff Schmidt, founder of JAS, contributed to the creation of the patch released by Microsoft with this month's security updates.

Hackers could manipulate how Group Policy receives and applies policy data

Identified as CVE-2015-0008, the glitch can be leveraged by a remote attacker to take complete ownership of an affected machine and install programs, modify or delete data or create accounts with full user rights. Researchers say that the design flaw has remained hidden for at least ten years.

Managing a large number of computers can be done by administrators through domain controllers, servers that communicate with the machines through VPN or Internet connection when they leave the local network.

This is mostly encountered in enterprise environments, where employees are provided with computers and company security standards need to be applied.

A domain controller server has group policy settings, which are enforced on the domain-joined systems and override the local configuration set up by the user. Briefly put, all settings are controlled from one place.

Successful exploitation of the flaw consists in convincing a user with a domain-configured system to connect to a network controlled by an attacker, and it takes advantage of how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller.

Not all companies provide VPN service for a secure connection and JAS Global Advisors warns that roaming machines connecting to the corporate network through public Internet are most exposed to the risk.

UNC Hardened Access feature mitigates the risk

Microsoft explains that the Group Policy component downloads updated security policies from Universal Naming Convention (UNC) paths and runs any scripts that are defined in the Group Policy Objects (GPO).

I/O requests to UNC paths made by applications are delivered to the Multiple UNC Provider (MUP), which relays the requests to a selected provider. After the request has been handled, the UNC provider returns a response to the application that initiated the call.

A threat actor could spoof or redirect communication between the UNC provider and the target server, and thus cause Group Policy to run malicious scripts or programs either instead of the ones requested or in addition to them.

In order to remove this possibility, the company added a new feature to Windows, called UNC Hardened Access, which can be configured through Group Policy to add more information to servers and shared locations.

When a request for a resource is received, MUP and UNC providers would be notified that there are more security requirements available than the default ones and an attack attempt would be foiled.

Complete instructions on how to access and configure the new feature, as well as the security properties it supports, are available in knowledge base article 3000483.

Administrators should be aware of the fact that error 1108 may be generated in the security event log. This issue can be solved by installing update 3000483 along with update 3004375.

Complete details of the vulnerability are not available at the moment and JAS and ICANN are currently working with Microsoft to determine when a full report can be published.

Photo Gallery (2 Images)

Active Directory uses group policies to manage computers of an entire group of users
Attack scenario in a “coffee shop”
Open gallery