New exploit published for a Group Policy vulnerability disclosed back in 2015, allows remote code execution on vulnerable version of Windows. While the original CVSS score for the vulnerability was just 3.3, the new exploit may in fact require immediate attention.
A new exploit for MS15-014 has been disclosed. It can now be executed through a simple, easy-to-use python script (one-line command execution) with only a few requirements. This exploit has the potential of giving the old vulnerability MS15-011 a new life. What’s particularly interesting about this case is the way in which a new exploit has led to a chain of low-severity vulnerabilities being tied together into one severe remote exploit.
Upon successful exploitation of MS15-014, MS15-011 could in turn be exploited, which would eventually allow remote code execution. An attacker who successfully exploited this vulnerability would be able to take complete control of the affected system.
By default, Windows machines have SMB Signing for the network client as OFF. As a result, there would be no need for MS15-014 to exploit a system vulnerable to MS15-011 unless SMB Signing for the network client has been enabled. Moreover, the MS15-014 vulnerability can be used to disable SMB signing of the targets SMB server, then targeted in relay attacks.
Suggested remediation measures
In order to overcome the risk derived from this new exploit, Vulcan recommends applying the following fixes:
MS15-014 fixes an issue with Group Policy that could revert GPO configured settings back to default when current policy cannot be retrieved. After applying the patch, the Group Policy client will apply the last known good policy. One of the key issues is that by preventing a Group Policy from retrieving the current, valid Group Policy to apply security settings, SMB Signing is disabled (default setting) which normally protects against Man-In-The-Middle attacks by validating the server’s identity.
MS15-011 improves the way Windows handles UNC paths greatly improving security. The interesting thing about this “patch” is that it is more than a security patch; it completely changes the Multiple UNC Provider (MUP) behavior to only allow connections to sources that support required security levels:
- Mutual Authentication: server/client identity verification
- Integrity: ensure data is not modified in transit
- Privacy: ensure data is encrypted
Standard UNC shares used during user logon:
- Group Policy configuration files and scripts (startup, shutdown,etc) are stored and shared out on Domain Controllers’ SYSVOL share ( \\DOMAIN\SYSVOL\DOMAIN\Policies).
- Logon scripts are stored and shared out on Domain Controllers’ NETLOGON share(\\DOMAIN\NETLOGON).
Prior to this patch & GPO configuration, it was possible to redirect a client to connect and run code on a UNC path that is not a valid server.
About the vulnerabilities (MS15-011, MS15-014)
The original vulnerability - CVE-2015-0008, as described in MS15-011, was disclosed back in 2015 with a CVSS score of 8.3. It allowed remote code execution of vulnerable versions of Windows and had prompted Microsoft’s reaction: the company had released two patches to fix the issues with the way Group Policy is processed by the client, and thus mitigated the risk.
Not long after that, a vulnerability described in MS15-014, CVE-2015-0009, was disclosed. Through this vulnerability, hackers can reuse MS15-011 by making the policy engine on the domain member revert back to default configuration, that does not require SMB signing.
When disclosed, CVE-2015-0009 received a low CVSS score of 3.3. However, with a new simple-to-execute exploit available, this vulnerability poses a threat far greater than originally perceived.
On a vulnerable version of Windows that is joined to a domain if part of the GPO update fails the group policy settings will revert to default settings and have a value of "Not Defined". This has multiple security impacts, two high-value concerns are:
- SMB Signing for SMB servers is OFF by default, except for DC's.
- SMB Signing for the network client is OFF by default. This allows exploitation of MS15-014.