Threat Update| “JASBUG"
February 11, 2015
On February 10th, 2015, Microsoft released two critical patches for “JASBUG” – MS15-011 and MS15-014. The design flaws were indirectly discovered by JAS Global Advisors LLC with assistance from simMachines’s analytics. The patches have been published by Microsoft in order to resolve design flaws found in Active Directory Group Policies.
The two vulnerabilities – or rather, design flaws – occur when a user logs onto a Windows Domain. The first issue (Patched with MS15-014) can lead to a user circumventing SMB signing when a Group Policy update fails. When a user logs onto a Windows Domain using their Active Directory credentials, the AD server will push down any Group Policy changes. If this push were to fail, the security settings would resort back to the default setting, which effectively disables SMB Signing, rather than the “last-known-good” configuration. This could provide an attacker with the opportunity to redirect a user’s SMB traffic, to a malicious host. (The user may think that they are accessing \\CoporateDocuments but could be redirected to a malicious server instead)
The second patch, MS15-011, is designed to harden how Windows accesses and translates UNC Paths (\\CorporateDocuments\policy.docx). The methods for which a server and client authenticate with each other, through UNC Paths is flawed. In order to combat this, Microsoft has released MS11-011 which includes a new AD feature known as “UNC Hardened Access” and forces Mutual Authentication between the SMB Server and Client
More information on both MS15-011 and MS15-014 can be found in Microsoft’s latest TechNet blog.