Security Advisory

Microsoft Security Advisory 2862152

Vulnerability in DirectAccess and IPsec Could Allow Security Feature Bypass

Published: November 12, 2013 | Updated: February 28, 2014

Version: 1.1

General Information

Executive Summary

Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how server connections are authenticated to clients in either DirectAccess or IPsec site-to-site tunnels.

An attacker who successfully exploited the vulnerability could use a specially crafted DirectAccess server to pose as a legitimate DirectAccess Server in order to establish connections with legitimate DirectAccess clients. The attacker-controlled system, appearing to be a legitimate server, could cause a client system to automatically authenticate and connect with the attacker-controlled system, allowing the attacker to intercept the target user's network traffic and potentially determine their encrypted domain credentials.

Microsoft is not aware of any active attacks that are exploiting this vulnerability as of the release of this advisory.

Recommendation. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note In addition to installing the update, additional administrative steps are required to be protected from the vulnerability described in this advisory. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Vulnerability References

For more information about this vulnerability, see the following references:

References Identification
CVE Reference CVE-2013-3876 
Microsoft Knowledge Base Article 2862152 

Affected Software

This advisory discusses the following software.

Operating System
Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Windows Vista Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows 8 for 32-bit Systems (except Embedded edition)
Windows 8 for x64-based Systems (except Embedded edition)
Windows Server 2012
Windows RT
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012 R2
Windows RT 8.1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)

 

Advisory FAQ

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is publishing an update for DirectAccess and IPsec to address the vulnerability described in this advisory. This vulnerability affects the operating systems that are listed in the Affected Software section.

What might an attacker use the vulnerabilityto do?
In most scenarios, an attacker who successfully exploited this vulnerability could gain access to any of the information that the targeted system sends over the network. The type of information that could be exposed is not limited to sensitive unencrypted data, but in some cases could also include user authentication information.

How could an attacker exploit the vulnerability?
An attacker-controlled system could pose as a legitimate DirectAccess server by installing a specially crafted server certificate. A targeted system would not be able to discern the attacker's DirectAccess server from a legitimate one.

Will Microsoft issue any further update to address this vulnerability?
No. Microsoft is not planning to release an update in addition to the one released with this advisory.

What does the update do? The update prevents an attacker-controlled system from being able to pose as a legitimate DirectAccess server without a valid certificate issued by the owning organization. However, the update alone is not enough to fully protect customers from the vulnerability addressed in this advisory. In addition to applying the 2862152 update, customers must also follow the configuration guidance provided in Microsoft Knowledge Base Article 2862152 to be fully protected from the vulnerability.

What additional guidance must customers follow in order to be protected from the vulnerability?
The nature of the fix requires that an enterprise that has DirectAccess server deployed create new server certificates and deploy these new certificates to their DirectAccess server and client systems. If these new certificates are not installed before the update is deployed, the DirectAccess services will remain insecure. See Microsoft Knowledge Base Article 2862152 for the additional configuration steps required for full protection from the vulnerability.

Suggested Actions

Apply the update for affected releases of Microsoft Windows

The majority of customers have automatic updating enabled and will not need to take any action because the 2862152 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the 2862152 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2862152.

Note In addition to installing the update, additional administrative steps are required to be protected from the vulnerability described in this advisory. See Microsoft Knowledge Base Article 2862152 for detailed guidance.

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Daniel Letkiewicz of Google for reporting the DirectAccess Spoofing Vulnerability (CVE-2013-3876)

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (November 12, 2013): Advisory published.
  • V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.

Built at 2014-04-18T13:49:36Z-07:00