MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2015-140

DATE(S) ISSUED:
12/08/2015

SUBJECT:
Vulnerability in Microsoft DNS Server Could Allow Remote Code Execution (MS15-127)

OVERVIEW:

A vulnerability has been discovered in Microsoft’s Windows Domain Name System (DNS) Server which could allow remote code execution. Successful exploitation of this vulnerability could allow an attacker to gain elevated privileges resulting in complete control of the system

 

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the Local System Account. Depending on the privileges associated with the account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:

 

There are currently no reports of these vulnerabilities being exploited in the wild.

 

SYSTEMS AFFECTED:

 

  • Windows Server 2008, R2, and Server Core Installations

  • Windows Server 2012, R2, and Server Core Installations

 

RISK:

 

Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

TECHNICAL SUMMARY:

 

A use after free vulnerability was discovered in Windows DNS Server when it fails to properly parse specially crafted DNS requests (CVE-2015-6125). This vulnerability can be exploited if an attacker issues a malicious request to a vulnerable Windows server configured as a DNS server.

 

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the Local System Account. Depending on the privileges associated with the account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:

 

We recommend the following actions be taken:

 

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Implement logging and monitor logs to ensure that only authorized users are accessing resources and identify any unauthorized modifications or unusual traffic. Store logs for a minimum of 90 days.

 

REFERENCES:

 

Microsoft:

https://technet.microsoft.com/en-us/library/security/MS15-127

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6125