Microsoft has issued a security advisory for a critical flaw in Windows that allows attackers to remotely gain full control of vulnerable computers. Referred to as "JASBUG", the Microsoft Windows Group Policy Remote Code Execution Vulnerability (CVE-2015-0008) affects all computers that are members of corporate Active Directories.
What Customers Need to Know
1. The flaw was discovered by security firm JAS Global Advisers, which reported the vulnerability to Microsoft in January last year.
2. The CVE-2015-0008 bug could allow an attacker to easily hijack a domain-configured Windows computer if it is connected to a wireless or wired malicious network. This gives attackers the ability to perform various actions on the affected computer, including installing programs; deleting, altering, or reading users' data; or creating new accounts with full user rights. The JASBUG vulnerability may not affect home users because their computers are not usually domain-configured.
3. The CVE-2015-0008 bug exists on the following Windows operating systems:
- Windows XP
- Windows 2000
- Windows Vista
- Windows 7
- Windows 8
- Windows RT
- Windows 8.1
- Windows RT 8.1
- Windows Server 2003
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
4. User interaction (other than normal web browsing, file opening, email viewing, etc.) is not required for attackers to exploit the bug.
5. The vulnerability was disclosed to Microsoft in 2014. However, it took Microsoft almost a year to issue the necessary patches for some (and not all) of the affected operating systems because this particular vulnerability is a design, and not an implementation problem. According to Jag: “IT professionals administering Microsoft environments should immediately review the Microsoft documentation available at https://support.microsoft.com/kb/3000483. As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.”
6. When the Microsoft security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been exploited to attack customers.
7. Microsoft did not release a fix for Windows XP, Windows Server 2003, or Windows 2000. The architecture needed to support the fix that is provided in the update does not exist on Windows XP computers. This makes it impractical to build the fix for Windows XP, Windows Server 2003, and Windows 2000. To do this would require re-architecting a very significant amount of the operating system and not just the affected component. Also, customers that have purchased the custom and extended from Microsoft will still be unable to fix this particular vulnerability.
Symantec Recommendations:
As noted in the previous section, Microsoft did not release a patch for Windows XP, Windows Server 2003 and Windows 2000. The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. There are no assurances that current applications running on Windows 2003 would continue to run on the re-architected system.
Given these challenges, Symantec recommends that customers use Symantec Data Center Security: Server Advanced to protect their legacy windows systems against malicious attacks looking to exploit the CVE-2015-0008 vulnerability instead of relying on patches.
Here are the actions that customers should consider to protect their potentially vulnerable and unpatched systems:
1. Turn on IPS Monitoring
Typically, turning on Symantec Data Center: Server Advanced IPS capabilities will be the first line of defense against zero-day threats.
However, since there are no reports of this particular bug being exploited in the wild, we recommend that the customers use the IPS monitoring mode for the time being. Setting the IPS to monitoring mode can alert the customer to detect and set alerts for unusual or suspicious activities without taxing application performance.
2. Turn on Configuration Monitoring, file integrity monitoring, and file, system and admin lockdown.
Customers can also set rules so that specific configuration files remain “read-only”. In addition, the customer can utilize DCS: Server Advanced to run privileged command, bash history monitor, and system hardening checks to help detect any unwanted activity.
For configuration monitoring, the Data Center Security: Server Advanced Windows Baseline Detection policy contains options to monitor the Active Directory authentication settings. Under the System Active Directory Change Monitor, Authentication and Encryption Configuration, the following options can be used to alert the user if the SMB Signing configuration is being modified on either the server or client:
- EnableSecuritySignature Changed
- RequireSecuritySignature Changed
3. Application-level Micro-segmentation
Given what we know, micro-segmentation cannot completely prevent the exploit but it can certainly minimize a customer’s exposure to the exploit. Customers can utilize DCS: Server Advance ability to define and enforce application-level security settings to lock down and harden critical applications in the potentially vulnerable Windows server systems, until these can be migrated to a more secure platform. Customers that have deployed VMware NSX can also take advantage of the DCS: Server Advance integration to extend the application-level lockdown to other third party security tools that are registered with NSX Service Composer. (Applicable only to DCS 6.5 customers). This "application-level" security approach provides an additional layer of protection for mission-critical applications in the event that a potentially vulnerable Windows system is compromised.
4. Full Application Control and Sandboxing
IT can use DCS: SA to perform full application control, and block any unused web services running on the legacy platforms. Customers can also set rules to limit the root user’s capabilities.
Key takeaways:
Customers using Symantec Data Center Security: Server Advanced will gain the following benefits:
- Improve the security posture of their legacy and unpatch Windows servers by protecting these against known and unknown (zero-day) malware.
- Reduce security incidents and remediation costs with continuous protection even if the server is unable to get the latest patches in a timely fashion.