Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2803
Microsoft Security Bulletin MS15-122: Security Update for
Kerberos to Address Security Feature Bypass (3105256)
11 November 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Unauthorised Access -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2015-6095
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS15-122
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS15-122: Security Update for Kerberos to Address
Security Feature Bypass (3105256)
Document Metadata
Bulletin Number: MS15-122
Bulletin Title: Security Update for Kerberos to Address Security Feature
Bypass
Severity: Important
KB Article: 3105256
Version: 1.0
Published Date: November 10, 2015
Executive Summary
This security update resolves a security feature bypass in Microsoft Windows.
An attacker could bypass Kerberos authentication on a target machine and
decrypt drives protected by BitLocker. The bypass can be exploited only if the
target system has BitLocker enabled without a PIN or USB key.
This security update is rated Important for all supported editions of Windows.
For more information, see the Affected Software section.
Affected Software
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1[1]
Windows 7 for x64-based Systems Service Pack 1[1]
Windows Server 2008 R2 for x64-based Systems Service Pack 1[1]
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1[1]
Windows 8 for 32-bit Systems[2]
Windows 8 for x64-based Systems[2]
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012[2]
Windows Server 2012 R2
Windows 10 for 32-bit Systems[3]
Windows 10 for x64-based Systems[3]
Windows 10 Version 1511 for 32-bit Systems[3]
Windows 10 Version 1511 for 64-bit Systems[3]
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012 (Server Core installation)[2]
Windows Server 2012 R2 (Server Core installation)
[1]Note that update 3081320 in MS15-121 and update 3101746 in MS15-115 are
releasing concurrently with 3101246 in this bulletin, MS15-122. Customers who
intend to install all three updates manually on Windows 7 Service Pack 1 or
Windows Server 2008 R2 Service Pack 1 should install the updates in the
following order: 3101246 first, 3081320 second, and 3101746 third (this is
taken care of automatically for customers with automatic updating enabled).
For more information see the Known Issues section of Microsoft Knowledge Base
Article 3105256.
[2]Note that update 3081320 in MS15-121 and update 3101746 in MS15-115 are
releasing concurrently with 3101246 in MS15-122. Customers who intend to
install all three updates manually on Windows 8 or Windows Server 2012 should
install the updates in the following order: 3101246 first, 3101746 second, and
3081320 third (this is taken care of automatically for customers with
automatic updating enabled). For more information see the Known Issues section
of Microsoft Knowledge Base Article 3105256.
[3]Windows 10 updates are cumulative. In addition to containing non-security
updates, they also contain all of the security fixes for all of the Windows
10-affected vulnerabilities shipping with the monthly security release. The
updates are available via the Microsoft Update Catalog.
Vulnerability Information
Windows Kerberos Security Feature Bypass CVE-2015-6095
A security feature bypass exists in Windows when Kerberos fails to checks the
password change of a user signing into a workstation. An attacker who
successfully exploited the bypass could use it to unlock a workstation and
decrypt drives protected by BitLocker.
An attacker who has physical access to a target machine could bypass Kerberos
authentication by connecting a workstation to a malicious Kerberos Key
Distribution Center (KDC).
The update addresses the bypass by adding an additional authentication check.
Microsoft received information about the security feature bypass through
coordinated vulnerability disclosure. At the time this security bulletin was
originally issued, Microsoft was unaware of any attack attempting to exploit
this bypass.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVkKLd36ZAP0PgtI9AQIiHxAAo7LzjHYr5tAbTnvIcyeCC8usZfM44Ec2
HbIh+qxIPNyOz+ESthiJ6UcrWU4+1WRQYztGEv9PfpDc0+mMNnSm6Ar0/UmRvSBX
vgaCJb4VbCVxV9ac8w2g4S8n5J5mCSdQjuagg5lOQRIjofb67vyZRsjobSZE70XJ
dNJqVWIr/9I80PHbIpVg85ecqLIV9zyW/8Kht+cONDSRJzpoO+vsJh7mMCCAY7fW
k7fZwALr3QrSo4ld4iMbX4d3uTeeGoTMVerGMroVLCsl+EnWsaFmGs1NHEgrG0uA
1eDFb68NcPCwhXiz5FD/vcjqAFTx/ktyZzXuYlvuDWumpsCscGUq0q6sI5IvdASC
pFEdCnIL5azC06/MygwfH+2Bko6waZN5YZaOIA0Eb8umlI6WP1RqzC7Og0yr9zYR
o5PhMqk+RhFyTBcG6xhKJ8Afvq2/+I1VxjwpDP7jJ2FO5swxcsTqgBjGhwxOx9RR
SN1N+VBFqK14Nm8aMvFEQrsc+UXfcAC/QjKRy5VDcPzaaEwfLCi6MnbW7WbZBuUX
XpvNe4OzVDgqwd0Vc85gjAjIldrYRan5AC0o9tI5+eekCFasgi/QTD4QIbnBnxfp
/1O0SCSNTeFWN1PJOp1j/w+FJerWQ2+If+XFAiPRxw0S5w9lBDrvoQCn6R+CYKdg
SHaaz0DPOHA=
=CnJk
-----END PGP SIGNATURE-----