ICS Alert

Microsoft Security Bulletin MS15-011 JASBUG

Last Revised
Alert Code
ICS-ALERT-15-041-01

Description

ICS-CERT is issuing this alert to provide notice of a Microsoft Windows critical security update described in Microsoft’s Security Bulletin MS15-011.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}

SUMMARY

NCCIC/ICS-CERT is issuing this alert to provide notice of a Microsoft Windows critical security update described in Microsoft’s Security Bulletin MS15-011Microsoft Security Bulletin MS15-011 – Critical, https://technet.microsoft.com/library/security/MS15-011 web site last accessed February 10, 2015.. This serious vulnerability impacts control system owners using a domain-configured system. Exploitation of this vulnerability could allow a remote attacker to take complete control of an affected Windows system.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information, see the Affected Software section of the Microsoft security bulletin.

It is important to note that to be protected from the vulnerability described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update. For more information about this update, see Microsoft Knowledge Base Article 3000483MS15-011: Vulnerability in Group Policy could allow remote code execution: February 10, 2015, https://support.microsoft.com/kb/3000483, web site last accessed February 10, 2015..

Be aware that updates are not available for Windows XP, Windows Server 2003, or Windows 2000.

ICS-CERT urges control systems owners to expedite the careful application of this critical update. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

Vulnerability Type Remotely Exploitable Impact
Remote Code Execution Yes An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Control systems that are members of a corporate Active Directory may be at risk. ICS-CERT is monitoring this vulnerability and will provide additional information related to control systems as it becomes available.

This vulnerability impacts core components of the Microsoft Windows Operating System. All computers and devices that are members of a corporate Active Directory may be at risk. The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines and Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network [VPN]) are at heightened risk.

The Microsoft security update contains a new policy feature (UNC Hardened Access) that is not enabled by default. To enable this feature, a system administrator must deploy the update and then apply the Group Policy settings described in the bulletin. For complete protection against this vulnerability, system reboots are required. More information on the impact of the vulnerability can be found on Microsoft’s blog at:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

Microsoft attributes discovery of the vulnerability to Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, The Internet Corporation for Assigned Names and Numbers (ICANN), and Luke Jennings from MWR Labs. JAS Global Advisors has produced their own advisory located at:

https://www.jasadvisors.com/about-jas/jasbug-security-vulnerability-fact-sheet/

MITIGATION

There are no known workarounds or mitigations for this vulnerability. Updates are not available for End of Life products (Windows XP, Windows Server 2003, and Windows 2000).

ICS-CERT strongly recommends that administrators prioritize the review of the Security Bulletin, test the necessary configuration changes discussed in the associated Knowledge Base article (KB3000483), and apply the patch.

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should do the following:

  • Review Microsoft Security Bulletin MS15-011https://technet.microsoft.com/library/security/MS15-011
  • Apply the update from Microsoft
  • Restart systems and apply configuration changes as described in the KB Article KB3000483https://support.microsoft.com/kb/3000483
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the InternetICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01, web site last accessed February 10, 2015.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site (http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Microsoft