Vulnerability Note VU#787252
Microsoft Windows domain-configured client Group Policy fails to authenticate servers
Original Release date: 13 Feb 2015 | Last revised: 13 Feb 2015
Microsoft Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths.
Microsoft has released MS15-011, detailing a critical flaw in which Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths. Upon connecting to a network, Group Policy runs logon scripts to receive and apply policy data from a domain controller. By joining an attacker-controlled network, the vulnerable system will execute attacker-provided scripts since the server is not required to authenticate itself. Because of the way that the Multiple UNC Provider (MUP) iterates through UNC providers to establish a connection to the domain controller, the vulnerability may be remotely exploitable when a UNC path is resolved over the Internet.
For more detailed information, visit Microsoft’s blog about hardening Group Policy and JAS’s JASBUG Fact Sheet.
A remote, unauthenticated attacker may execute arbitrary code and completely compromise vulnerable systems.
Apply an update and configure Group Policy settings
In addition to applying an update, administrators need to configure additional Group Policy settings in order to protect against the vulnerability.
Note that in addition to the unsupported Windows XP and 2000, Windows Server 2003 will not be receiving an update to address this vulnerability despite being a supported operating system. Furthermore, Microsoft has not identified any workarounds or mitigations, recommending that security-conscious users upgrade their operating systems.
Vendor Information (Learn More)
Many versions of Microsoft Windows operating systems are confirmed vulnerable, including:
Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
Microsoft Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2
Unsupported operating systems such as Microsoft Windows XP and 2000 may also be affected.
VendorStatusDate NotifiedDate UpdatedMicrosoft CorporationAffected-12 Feb 2015If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Microsoft credits Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, and the Internet Corporation for Assigned Names and Numbers (ICANN) with discovering this issue.
This document was written by Joel Land.
13 Feb 2015
Date First Published:
13 Feb 2015
Date Last Updated:
13 Feb 2015
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.