Executive Summary

Summary
TitleVulnerability in DirectAccess and IPsec Could Allow Security Feature Bypass
Informations
NameKB2862152First vendor Publication2013-11-12
VendorMicrosoftLast vendor Modification2014-02-28
Severity (Vendor) N/ARevision1.1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:N/A:N)
Cvss Base Score7.1Attack RangeNetwork
Cvss Impact Score6.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how server connections are authenticated to clients in either DirectAccess or IPsec site-to-site tunnels.

An attacker who successfully exploited the vulnerability could use a specially crafted DirectAccess server to pose as a legitimate DirectAccess Server in order to establish connections with legitimate DirectAccess clients. The attacker-controlled system, appearing to be a legitimate server, could cause a client system to automatically authenticate and connect with the attacker-controlled system, allowing the attacker to intercept the target user's network traffic and potentially determine their encrypted domain credentials.

Microsoft is not aware of any active attacks that are exploiting this vulnerability as of the release of this advisory.

Recommendation. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note In addition to installing the update, additional administrative steps are required to be protected from the vulnerability described in this advisory. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Vulnerability References

For more information about this vulnerability, see the following references:

ReferencesIdentification
CVE ReferenceCVE-2013-3876
Microsoft Knowledge Base Article2862152

Affected Software

This advisory discusses the following software.

Affected Operating System
Operating System
Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Windows Vista Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows 8 for 32-bit Systems (except Embedded edition)
Windows 8 for x64-based Systems (except Embedded edition)
Windows Server 2012
Windows RT
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012 R2
Windows RT 8.1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)

Advisory FAQ

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is publishing an update for DirectAccess and IPsec to address the vulnerability described in this advisory. This vulnerability affects the operating systems that are listed in the Affected Software section.

What might an attacker use the vulnerability to do?
In most scenarios, an attacker who successfully exploited this vulnerability could gain access to any of the information that the targeted system sends over the network. The type of information that could be exposed is not limited to sensitive unencrypted data, but in some cases could also include user authentication information.

How could an attacker exploit the vulnerability?
An attacker-controlled system could pose as a legitimate DirectAccess server by installing a specially crafted server certificate. A targeted system would not be able to discern the attacker's DirectAccess server from a legitimate one.

Will Microsoft issue any further update to address this vulnerability?
No. Microsoft is not planning to release an update in addition to the one released with this advisory.

What does the update do?
The update prevents an attacker-controlled system from being able to pose as a legitimate DirectAccess server without a valid certificate issued by the owning organization. However, the update alone is not enough to fully protect customers from the vulnerability addressed in this advisory. In addition to applying the 2862152 update, customers must also follow the configuration guidance provided in Microsoft Knowledge Base Article 2862152 to be fully protected from the vulnerability.

What additional guidance must customers follow in order to be protected from the vulnerability?
The nature of the fix requires that an enterprise that has DirectAccess server deployed create new server certificates and deploy these new certificates to their DirectAccess server and client systems. If these new certificates are not installed before the update is deployed, the DirectAccess services will remain insecure. See Microsoft Knowledge Base Article 2862152 for the additional configuration steps required for full protection from the vulnerability.

Suggested Actions

Apply the update for affected releases of Microsoft Windows

The majority of customers have automatic updating enabled and will not need to take any action because the 2862152 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the 2862152 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2862152.

Note In addition to installing the update, additional administrative steps are required to be protected from the vulnerability described in this advisory. See Microsoft Knowledge Base Article 2862152 for detailed guidance.

Additional Suggested Actions
  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2862152.mspx

CWE : Common Weakness Enumeration

%idName
100 %CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26746
 
Oval ID: oval:org.mitre.oval:def:26746
Title: Alows man-in-the-middle attackers to spoof servers and read encrypted domain credentials via a crafted certificate
Description: DirectAccess in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly verify server X.509 certificates, which allows man-in-the-middle attackers to spoof servers and read encrypted domain credentials via a crafted certificate.
Family: windows Class: vulnerability
Reference(s): CVE-2013-3876
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows Server 2012
Microsoft Windows 8.1
Microsoft Windows Server 2012 R2
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os1
Os1
Os1
Os1
Os1
Os1
Os3
Os2
Os2
Os2

Nessus® Vulnerability Scanner

DateDescription
2013-11-13Name : The remote host is affected by a security feature bypass vulnerability.
File : smb_kb2862152.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
DateInformations
2014-02-28 21:19:33
  • Multiple Updates
2014-02-17 11:38:42
  • Multiple Updates
2013-11-19 00:22:23
  • Multiple Updates
2013-11-18 13:23:05
  • Multiple Updates
2013-11-12 21:19:24
  • First insertion