{"id":3366,"date":"2017-08-01T00:51:01","date_gmt":"2017-07-31T22:51:01","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=3366"},"modified":"2017-08-01T01:23:14","modified_gmt":"2017-07-31T23:23:14","slug":"beware-of-microsofts-ldap-server-cve-2017-8563","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/08\/01\/beware-of-microsofts-ldap-server-cve-2017-8563\/","title":{"rendered":"Beware of Microsoft&rsquo;s LDAP Server CVE-2017-8563 Fix"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2013\/03\/winb.jpg\" width=\"58\" align=\"left\" height=\"58\">[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/08\/01\/obacht-bei-microsofts-ldap-server-cve-2017-8563-fix\/\" target=\"_blank\">German<\/a>]Microsoft has updated several products on July 11, 2017, to close a Windows Elevation of Privilege Vulnerability(CVE-2017-8563). But there are manual actions required to fix the vulnerability finally.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/36b062c2b8d246b984033912bbd978c7\" width=\"1\" height=\"1\">The Hacker News has been reporting this critical flaw within Microsoft's Windows NTLM security protocols <a href=\"http:\/\/thehackernews.com\/2017\/07\/windows-ntlm-security-flaw.html?m=1\" target=\"_blank\">here<\/a>. They wrote:<\/p>\n<blockquote>\n<p>The first vulnerability involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second impact Remote Desktop Protocol (RDP) Restricted-Admin mode.<\/p>\n<\/blockquote>\n<p>Microsoft has addressed this issue within <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2017-8563\" target=\"_blank\">CVE-2017-8563<\/a> and wrote: <em>An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully forward an authentication request to a Windows LDAP server, such as a system running Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which has been configured to require signing or sealing on incoming connections.<\/em><\/p>\n<p>Microsoft provided patches for all supported <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2017-8563\" target=\"_blank\">Windows versions<\/a>. But it's not sufficient, just to install the patches. In an Active Directory environment, you need to take care of the following advise, Microsoft has given within its KB articles.<\/p>\n<blockquote>\n<p>In addition to installing the updates for CVE-2017-8563 are there any further steps I need to carry out to be protected from this CVE?<br \/>Yes. To make LDAP authentication over SSL\/TLS more secure, administrators need to create a LdapEnforceChannelBinding registry setting on machine running AD DS or AD LDS. For more information about setting this registry key, see <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4034879\" target=\"_blank\">Microsoft Knowledge Base article 4034879<\/a>.<\/p>\n<\/blockquote>\n<p>If we follow the link given above, we may read the following additional advise:  <\/p>\n<blockquote>\n<p>Notes<br \/><strong>Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL\/TLS that previously worked may no longer work.<\/strong> By default, this setting is disabled.<br \/>The LdapEnforceChannelBindings registry entry must be explicitly created.<br \/>LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change.<br \/><strong>To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1<\/strong>. See Microsoft Security Advisory 973811 for more details.<\/p>\n<\/blockquote>\n<p>This <a href=\"https:\/\/www.administrator.de\/wissen\/nacharbeiten-patch-dom%C3%A4nencontroller-erforderlich-344647.html\" target=\"_blank\">German sit<\/a>e contains a script to check, whether the update is installed or not.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has updated several products on July 11, 2017, to close a Windows Elevation of Privilege Vulnerability(CVE-2017-8563). But there are manual actions required to fix the vulnerability finally.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[69,195,194],"class_list":["post-3366","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/3366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=3366"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/3366\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=3366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=3366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=3366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}