AnchorPoint Security » Blog Archive » Tactical Vulnerability Management – MS15-011 & MS15-014

Tactical Vulnerability Management – MS15-011 & MS15-014

I had a bit of an issue pop up in the last couple of months. Our workstations were randomly not roaming their certificates properly. We use the credential roaming policy in our Default Domain GPO so that users are not constantly auto-enrolled for new certificates. This is hardly a new feature; it was first implemented in an Administrative Template with Server 2003. For it to suddenly not work was a bit confusing.

After troubleshooting and resolving three other issues which might cause the problem, we also discovered that Group Policy in general wasn’t applying to the workstations. It wasn’t very noticeable, aside from the failure of credential roaming. It was also seemingly random.

Then we turned off the UNC path hardening on the SYSVOL and NETLOGON shares. Bingo. 100% of the workstations now updated and applied Group Policy without fail. We contacted Microsoft and they confirmed the issue.

So now we have a Catch 22: do we break Group Policy or allow a remote code execution vulnerability to exist for a bit? Both are bad; you will have to weigh the risks yourself. If you run into those that say this vulnerability is hard to execute, just do some searching for it. I found about 10 step-by-step videos on how to exploit MS15-011 without trying terribly hard. It would be trivial to set up a malicious policy share on a public network and wait for domain-joined machines to connect. The risk could also be increased based on your organization’s wireless security.

I’ll update with a fix when one is given.

Topics: Uncategorized

Subscribe to Email

John Spaid

John Spaid

Vice President & CTO, AnchorPoint Security