MS15-011 Vulnerability (CVE-2015-0008)

Certificates

**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.

Vulnerability Details 

The vulnerability in the remote Windows host arises from a flaw in the way the Group Policy service handles policy data when a system that’s part of a domain connects to a domain controller. This issue allows an attacker, if they have control over the network, to potentially take full control of the affected host.

Severity Rating

High

How to Verify if a Device is Vulnerable

Use Nessus plugin ID 81264 to scan the device and check for the vulnerability.

What You Should Be Aware of if You Apply a Fix

Before addressing the MS15-011 vulnerability, which could allow remote code execution through Group Policy, ensure you understand the vulnerability’s specifics and how it affects your network. Test the security update in a controlled environment before widespread deployment, and back up critical data.

How to Fix

Patch the vulnerable machine to the newest windows update.

If the patch has been installed but the vulnerability still appears in all scans, then activating the Local Group Policy is necessary. In cases where numerous servers are involved, it’s more efficient to establish a domain-level group policy for these servers. However, if this approach requires additional time and testing, a more immediate solution would be to implement the policy locally on the specific server in question.

• As a system administrator, you should log into the Windows Server using your administrative credentials. Once logged in, open the Run dialog box and type “gpedit.msc”. This command will launch the Local Group Policy Management Console.
• Go to this Path: Computer Configuration/Administrative Templates/Network/Network Provider
• Right-click the Hardened UNC Paths setting, and then click Edit and select the Enabled option.
• In the Options pane, scroll down, and then click Show.

• Add these configuration entries to do this, follow these steps:

In the column labeled “Value Name,” enter the desired UNC (Universal Naming Convention) path for configuration. You can specify the UNC path in any of the following formats:

• \\<Server>\<Share> — The configuration entry applies to the share that has the specified name on the specified server.
• \\*\<Share> — The configuration entry applies to the share that has the specified name on any server.
• \\<Server>\* — The configuration entry applies to any share on the specified server.

Here are some examples on what to insert in the value section.

Here is an example of what a hardened UNC path might look like.

How to Verify the Fix

• Rescan the device with Nessus plugin ID 81264 and check for the vulnerability.

Rollback

• Remove the applied configurations.

Links

• https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328
• https://www.tenable.com/plugins/nessus/81264