==================================================================== CERT-Renater Note d'Information No. 2015/VULN150 _____________________________________________________________________ DATE : 15/07/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Server 2003, Vista, Server 2008, 7, 8, 8.1, Server 2012, RT, RT 8.1 running Netlogon. ====================================================================== KB3068457 https://technet.microsoft.com/en-us/library/security/MS15-071 ______________________________________________________________________ Microsoft Security Bulletin MS15-071: Vulnerability in Netlogon Could Allow Spoofing (3068457) Bulletin Number: MS15-071 Bulletin Title: Vulnerability in Netlogon Could Allow Spoofing Severity: Important KB Article: 3068457 Version: 1.0 Published Date: July 14, 2015 Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system. The attacker must be logged on to a domain-joined system and be able to observe network traffic. This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section. Affected Software Windows Server 2003 Windows Server 2003 Service Pack 2 Windows Server 2003 R2 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 R2 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 and Windows 8.1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 and Windows Server 2012 R2 Windows Server 2012 Windows Server 2012 R2 Windows RT and Windows RT 8.1 Windows RT[1] Windows RT 8.1[1] Server Core installation option Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Spoofing Vulnerability in Netlogon Vulnerability - CVE-2015-2374 A spoofing vulnerability exists in Netlogon that is caused when the Netlogon service improperly establishes a secure communications channel belonging to a different machine with a spoofed computer name. To successfully exploit this vulnerability, an attacker would first have to be logged on to a domain-joined system and be able to observe network traffic. An attacker could then run a specially crafted application that could establish a secure channel connection belonging to a different computer. An attacker may be able to use the established secure channel to obtain session-related information for the actual secure channel of the spoofed computer. Workstations and servers are primarily at risk from this vulnerability. The update addresses the vulnerability by modifying the way that Netlogon handles establishing secure channels. This update is applicable on systems running as domain controllers. It is suggested, however, that the update be applied to all affected platforms so that machines are protected if they are promoted to a domain controller role in the future. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================