Operating System:

[WIN]

Published:

14 January 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2015.0087 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0087
         Vulnerability in Network Location Awareness Service Could
                  Allow Security Feature Bypass (3022777)
                              14 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
                   Windows Server 2008 R2
                   Windows 8
                   Windows 8.1
                   Windows Server 2012
                   Windows Server 2012 R2
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0006  

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS15-005

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS15-005 - Important

Vulnerability in Network Location Awareness Service Could Allow Security 
Feature Bypass (3022777)

Published: January 13, 2015

Version: 1.0

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft
Windows. The vulnerability could allow security feature bypass by 
unintentionally relaxing the firewall policy and/or configuration of certain 
services when an attacker on the same network as the victim spoofs responses 
to DNS and LDAP traffic initiated by the victim.

This security update is rated Important for all supported editions of Windows
Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, 
Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Affected Software

Windows Server 2003 Service Pack 2[1]

Windows Server 2003 x64 Edition Service Pack 2[1]

Windows Server 2003 with SP2 for Itanium-based Systems[1]

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012

Windows Server 2012 R2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core 
installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

[1]Windows Server 2003 is affected, but an update is not being issued for it.
See the Update FAQ for more information.

NLA Security Feature Bypass Vulnerability - CVE-2015-0006

A security feature bypass vulnerability exists in the Network Location 
Awareness (NLA) service that could unintentionally relax the firewall policy 
and/or configuration of certain services. This could increase the surface 
exposed to an attacker. The vulnerability is caused when the NLA service fails
to properly validate whether a domain-connected computer is connected to the 
domain or to an untrusted network. The update addresses the vulnerability by 
forcing mutual authentication via Kerberos.

Successful exploitation of this vulnerability requires that an attacker be 
connected to the same network as the victims computer, and that the attacker 
spoof responses to DNS and LDAP traffic initiated by the victim. The 
vulnerability could allow an attacker to apply a domain profile to a computer
connected to an untrusted network. Client computers connected to untrusted 
networks are primarily at risk from this vulnerability.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was issued, Microsoft 
had not received any information to indicate that this vulnerability had been
publicly used to attack customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVLWvLhLndAQH1ShLAQKTMxAAl0nJgRF4+kQn36vLVxiEvyTU0qXQ5jVG
fU1U9fo9/lLZtn3+xOVJ0en+YKMzjAFtoQCPBkePttsE14MXmvL5KOxNCRyiOb3g
H9gC9m/e1NI9OiWuhgu4UkYmZ0XSNmjsogOjVcB3Aa49pCIFMjpToQpsiOHaxBoo
fN2EZf3uCIPkxZaTelMfC5/fApIKyGWFLp2AXrlpZsAnW2JfhfdCTtv4aGe73CeE
f7b6Mntmh64JOWKaqe/eeGY9TrasoAh1OQchrbUR5kbk5fjPehopVcQLF7b4V3dG
sTdSYo1PtyVNUbdNQR+/xk6eDA8S43Ep+qUmn5bSG3IxXs6wyziMPcG5FDXvaMUf
v049vodHKtaaOFUVPcUMXdlfQteteApLuRXupKFTQYuop2oywcQeUOdEIbQ07Svm
TA3N+RfYMeL5wSGP1EdRbAH6BoYbb/pXJxL4t2+NGk7Rs1Jx8MhbFkrsg3hmCKZ5
nIWMEDWN0Mq3XnX/BU8CnBpojoQKdql1k+gClsMaw+/c6xX9C/9eXg/VtyeQtbUJ
O7PKUPkuoi06qd3FZaBQZoGjSn1tEFC150lLdYLePQ2xWA39fUIQs29KvGM9+Qoc
bku7dj7ToN014VCt7OIOKQsh6/WQG4uQSLhgUNKaN9C0GvZMJYIJW/FhB4PC8YqY
htNz0/PKvAg=
=iwVK
-----END PGP SIGNATURE-----