Microsoft Windows DNS vulnerability CVE-2015-6125

Microsoft Windows DNS vulnerability CVE-2015-6125

DearBytesAlertsMicrosoft Windows DNS vulnerability CVE-2015-6125

What happened?

On Monday 7 December, a serious vulnerability in Microsoft Windows DNS was patched. The DNS service is a standard component of Windows networks. The vulnerability was assigned the number CVE-2015-6125. Microsoft has stated this is a critical vulnerability that allows for remote code execution.

https://technet.microsoft.com/en-us/library/security/ms15-127.aspx

 

Why is this important?

The DNS service is a standard part of Windows servers, most corporate networks rely on the service to provide name services. The DNS service is executed with elevated privileges which would allow an attacker full access to the system. Since many corporate networks combine DNS and Active Directory services on the same servers exploitation would allow an attacker to compromise the entire Windows domain. Consider separating DNS and Active Directory services in order to minimize the attack surface of domain controllers.

It is unclear if Windows server 2003 servers are at risk, however if the vulnerability is present the system will not receive updates making this a potential severe issue for Server 2003.

What systems are affected?

To exploit this vulnerability, an attacker is required to send a specially crafted DNS packet that will not get properly parsed by the DNS servers. Once exploited, an attacker could execute arbitrary code within Local System Account context.

The following windows server versions are vulnerable:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

At the time of this writing there is no public information available regarding the vulnerabilityof server 2003.

What can you do to protect yourself?

Apply the MS15-127 on any vulnerable servers in the network as soon as possible. With McAfee Vulnerability Manager you are able to enumerate the vulnerable systems on the network. This is possible as soon as your vulnerability scanner has been updated with a script to recognise this vulnerability. It is important to start with the servers that can be approached externally, and then proceed with updating the internally available server.

McAfee HIPS will also be able to detect and block attempts to exploit this vulnerability.

What can DearBytes Managed Services do to protect you?

For customers for whom DearBytes manages the vulnerability management, DearBytes will make an inventory of systems vulnerable to CVE-2015-6125 and share this report with you as soon as the vulnerability scan is possible. For customers for whom DearBytes manages the Intrusion Prevention/Detection, detection rules to recognise and – after your approval – block exploitation will be activated as soon as they are available.

These customers will be informed in more detail individually.