This month’s Patch Tuesday covers nine security bulletins from Microsoft, including what seems like a not-very-unusual mix of remote code execution (RCE) vulnerabilities and security feature bypasses. However, two of these bulletins – MS15-011 and MS15-014 – require a closer look, both because of the severity of the vulnerabilities that they address and the changes Microsoft made to Windows’ underlying architecture to remediate these vulnerabilities.
(Also, Microsoft wrote their first Security Research and Defense blog post since November of last year, focusing solely on these two bulletins. So there’s that).
Exploiting the vulnerabilities underlying these two security bulletins involves a few things:
- A domain-configured victim machine that accesses network resources using Universal Naming Convention (UNC) paths. For example: files on an SMB file server.
- An attacker capable of successfully conducting a man-in-the-middle (MITM) attack against the victim machine. For example: ARP poisoning a switch shared by the attacker and the victim machine.
- Malicious files controlled by the attacker, which have identical names and UNC paths as files that the victim is attempting to access. For example: \\companyname\filesandstuff\runme.bat
If an attacker successfully conducts a MITM attack against such a victim machine, they can trick the machine into loading files that contain malicious code. This code will run in the context of the account used by the service that loads these malicious files (e.g., SYSTEM), which can result in a complete compromise of the vulnerable machine. This is the crux of MS15-011 (CVE-2015-0008), and it’s likely to happen with teleworking employees using untrusted public networks (like at a coffee shop) with their domain-bound Windows workstations.
What about SMB signing?
This is where MS15-014 (CVE-2015-0009) comes into play. First of all, SMB Client in Windows doesn’t require SMB signing by default. Even if a vulnerable machine requires SMB signing via group policies from its domain, an attacker who has successfully MITM’d a vulnerable machine can prevent that machine from loading its domain’s Group Policy Security Configuration Engine (GPSCE) policy file. When this policy file fails to load, Windows resorts to default group policies, which are likely to not require SMB signing. So in this context a MITM attacker can cause a vulnerable machine to no longer require SMB signing.
So patching will fully remediate this, right?
Not quite. After installing MS15-011 and MS15-014’s patches (KB3000483 and KB3004361 respectively), some Group Policy settings must be applied in order to fully remediate CVE-2015-0008. These settings will implement a new Windows component called “UNC Hardened Access,” which includes the following security features:
- Mutual authentication between SMB clients and servers
- Integrity checks that detect manipulation of SMB data between a client and server
- Privacy protections that use encryption to protect communications between SMB clients and servers
This is a much needed step forward for securing SMB traffic. However, please make note of the caveats and nuances listed in KB3000483’s support article linked above. Microsoft noted that this wasn't just a simple fix for a single component in Windows; they had to make significant architectural changes in order to implement UNC Hardened Access.