Local attackers can use Group Policy flaw to take over enterprise Windows systems – Digitaleclub
Digitaleclub
Best for you!

Local attackers can use Group Policy flaw to take over enterprise Windows systems

Microsoft fixed 129 vulnerabilities today across its entire range of software products, from Windows and Office to Visual Studio, Azure DevOps and Microsoft Apps for Android. Eleven of those flaws are critical and should be patched immediately, but one particular vulnerability could be easily overlooked and could allow hackers with local access to take full control of enterprise Windows systems.

The issue, tracked as CVE-2020-1317, affects one of the most basic mechanisms for centrally managing the settings of Windows computers and users in Active Directory environments: Group Policy. More importantly, the flaw is old and exists in all Windows versions for desktops and servers beginning with Windows Server 2008. Microsoft rates it as important and describes it as such:

“An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.”

The company’s advisory has no other information aside from that, but according to researchers from CyberArk who discovered the vulnerability, it is quite serious.

How an attacker can exploit the Group Policy vulnerability

Group Policy settings are stored on Windows systems as Group Policy Objects (GPO) and they can be distributed by the domain administrator over the network from the domain controller. However, Group Policy updates are not instant by default and usually take time to propagate over a network, which is why Windows includes a tool called GPUpdate.exe that users can run to request GPO updates from the domain controller instead of waiting for them.

“Interestingly enough, a Group Policy update can be requested manually by a local non-privileged user,” the security CyberArk security researchers said in a blog post. “So, if you manage to find a bug in the Group Policy update process, you can trigger it yourself whenever you want to — making a potential attack easier.”

The Group Policy updates are handled through a service called GPSVC that runs under the svchost.exe process, which handles many services in Windows. As expected, this service runs with the highest possible privileges, in the context of NT AUTHORITYSYSTEM.

Leave A Reply

Your email address will not be published.