We live in a very dynamic and unfriendly environment with computers and the JASBUG vulnerability proves that. This new exploit is not all that sophisticated, but is a very large problem for every Active Directory installation.

The JASBUG vulnerability hijacks the NetLogon and SMB requests that clients and servers make during the Group Policy background refresh. The hijacked communication is redirected to a “false” domain controller, which updates the client or server with bogus Group Policy information. The bogus Group Policy information can include anything that Group Policy from the production environment could, so security can be loosened, scripts can be run, settings altered, etc.

Since this is such a large problem and easy to exploit, it is suggested that everyone running Active Directory implement this update from Microsoft immediately. The attacks can come from inside or outside your organization, so there is no safe place.

Say goodbye to surprise attacks. Use Active Directory Security Reports. Try ADManager Plus

You can download the MS15-011 update and also read the MS15-014 bulletin to protect against the vulnerability. This will add a Group Policy ADMX file, which will allow you to use Group Policy to update your shared folders, specifically NetLogon and SYSVOL on your domain controllers. The ADMX file is named NetworkProvider.ADMX. When you edit a GPO on a computer where this update is installed, you will have a new group of settings in the GPO located under Computer Configuration\Policies\Administrative Templates\Network\Network Provider. Under this new location, you will have a setting named Hardened UNC Paths, which is configurable, as shown in Figure 1.

jasbug figure1Figure 1. Hardened UNC Paths to protect against the JASBUG vulnerability.

You will need to use the correct syntax when configuring the settings in this policy, which can be obtained from the Microsoft FAQ on this vulnerability, update, and settings at http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx.

No matter what you do, please take action on this immediately. Your network, security, and Active Directory rely on getting this updated!

 

Related posts :