Vulnerabilities > CVE-2015-0009 - 7PK - Security Features vulnerability in Microsoft products

047910
CVSS 3.3 - LOW
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
low complexity
microsoft
CWE-254
nessus
exploit available
NVD
Published: 2015-02-11
Updated: 2019-10-29

Summary

The Group Policy Security Configuration policy implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows man-in-the-middle attackers to disable a signing requirement and trigger a revert-to-default action by spoofing domain-controller responses, aka "Group Policy Security Feature Bypass Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
12

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:47559
last seen2019-10-30
modified2019-10-29
published2019-10-29
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/47559
titleMicrosoft Windows Server 2012 - 'Group Policy' Security Feature Bypass

Msbulletin

bulletin_idMS15-014
bulletin_url
date2015-02-10T00:00:00
impactSecurity Feature Bypass
knowledgebase_id3004361
knowledgebase_url
severityImportant
titleVulnerability in Group Policy Could Allow Security Feature Bypass

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS15-014.NASL
descriptionThe version of Windows running on the remote host is affected by a security downgrade vulnerability that affects workstations and servers configured to use Group Policy. A man-in-the-middle attacker, via modified domain controller responses sent to targeted systems, can cause the policy file to become corrupted and unreadable, resulting in the Group Policy settings reverting to their default, potentially less secure, state.
last seen2020-06-01
modified2020-06-02
plugin id81267
published2015-02-10
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/81267
titleMS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81267);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2015-0009");
  script_bugtraq_id(72476);
  script_xref(name:"CERT", value:"787252");
  script_xref(name:"MSFT", value:"MS15-014");
  script_xref(name:"MSKB", value:"3004361");
  script_xref(name:"IAVB", value:"2015-B-0017");

  script_name(english:"MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)");
  script_summary(english:"Checks the file version of scesrv.dll.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a security downgrade
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Windows running on the remote host is affected by a
security downgrade vulnerability that affects workstations and servers
configured to use Group Policy. A man-in-the-middle attacker, via
modified domain controller responses sent to targeted systems, can
cause the policy file to become corrupted and unreadable, resulting in
the Group Policy settings reverting to their default, potentially less
secure, state.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-014");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2003, Vista, 2008,
7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0009");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-014';
kb = '3004361';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_NOTE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
# Some of the 2k3 checks could flag XP 64, which is unsupported
if ("Windows XP" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"scesrv.dll", version:"6.3.9600.17552", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"scesrv.dll", version:"6.2.9200.21317", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"scesrv.dll", version:"6.2.9200.17200", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"scesrv.dll", version:"6.1.7601.22894", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"scesrv.dll", version:"6.1.7601.18686", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"scesrv.dll", version:"6.0.6002.23558", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"scesrv.dll", version:"6.0.6002.19251", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"scesrv.dll", version:"5.2.3790.5492", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_note();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/155007/msws2012gp-bypass.txt
idPACKETSTORM:155007
last seen2019-10-30
published2019-10-29
reporterThomas Zuk
sourcehttps://packetstormsecurity.com/files/155007/Microsoft-Windows-Server-2012-Group-Policy-Security-Feature-Bypass.html
titleMicrosoft Windows Server 2012 Group Policy Security Feature Bypass

References