Close Widget

On November 10, 2015, Microsoft® released details about a vulnerability that allows an attacker with physical access to bypass the Windows® login screen and gain access to the operating system logged in as a user. There are a number of pre-requisites required, however they are all common configurations that are found in many organisations.  What makes this attack even more devastating is the time taken to perform the attack, and the fact that it also affects BitLocker® when deployed using Microsoft’s own recommended strategy.  So, corporate assets such as laptops that are considered secure can be accessed in a matter of seconds.

 

Could my organization be vulnerable?

Most likely yes.  This attack affects all versions of Windows, and can be performed very quickly.  The attacker does however require physical access to the machine to perform the attack and the system must also be joined to a domain.  Systems that are encrypted requiring a USB key or PIN are not affected.

 

How can we detect the issue?

Detection is simple; any version of Windows, from Windows 2000 through to Windows 10 are vulnerable, including Windows Servers unless you have installed the security update which addresses the vulnerability (MS15-122).

For customers who have a SureCloud Internal Appliance it is possible to detect MS15-122 using an authenticated scan which can be configured through the SureCloud Platform.  See plugin IDs 86828 and SC-1976.

 

What can we do to protect our organization’s users?

The attack involves the attacker impersonating a Domain Controller and flagging the user as requiring a password change.  The local cache is then poisoned with an attacker controlled password.  The best protection against this attack is to have a patching policy whereby all systems are kept up to date, and specifically ensure that all systems have installed Microsoft update MS15-122.

 

Get in touch

Should you have any questions regarding this or any security related matter please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.

 

References

https://support.microsoft.com/en-us/kb/3105256

https://technet.microsoft.com/library/security/MS15-122

https://www.blackhat.com/docs/eu-15/materials/eu-15-Haken-Bypassing-Local-Windows-Authentication-To-Defeat-Full-Disk-Encryption-wp.pdf

 

 

Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.

How can we help?