4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:C/A:N
0.0004 Low
EPSS
Percentile
9.9%
The remote Windows host is affected by a security feature bypass vulnerability in Kerberos due to a failure to check the password change of a user signing into a workstation. A remote attacker can exploit this vulnerability by connecting a workstation to a malicious Kerberos Key Distribution Center (KDC), resulting in the ability to decrypt drives protected by BitLocker.
Note that this vulnerability can only be exploited if the target system has BitLocker enabled without a PIN or USB key, and the computer is domain-joined.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(86828);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/06/04");
script_cve_id("CVE-2015-6095");
script_bugtraq_id(77475);
script_xref(name:"MSFT", value:"MS15-122");
script_xref(name:"MSKB", value:"3101246");
script_xref(name:"MSKB", value:"3105213");
script_xref(name:"MSKB", value:"3105211");
script_xref(name:"IAVA", value:"2015-A-0278");
script_name(english:"MS15-122: Security Update for Kerberos to Address Security Feature Bypass (3105256)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a security feature bypass
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a security feature bypass
vulnerability in Kerberos due to a failure to check the password
change of a user signing into a workstation. A remote attacker can
exploit this vulnerability by connecting a workstation to a malicious
Kerberos Key Distribution Center (KDC), resulting in the ability to
decrypt drives protected by BitLocker.
Note that this vulnerability can only be exploited if the target
system has BitLocker enabled without a PIN or USB key, and the
computer is domain-joined.");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-122
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a5f58ee1");
# https://support.microsoft.com/en-us/topic/ms15-122-description-of-the-security-update-for-windows-kerberos-november-10-2015-d2e80a23-2e28-05ea-10c2-9094b3531d49
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?34a741e7");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 8, RT, 2012, 8.1, RT 8.1, 2012 R2, and 10.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6095");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/10");
script_set_attribute(attribute:"patch_publication_date", value:"2015/11/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');
include('smb_func.inc');
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS15-122';
kb = "3101246";
kbs = make_list("3101246","3105213","3105211");
if (get_kb_item("Host/patch_management_checks"))
hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if (productname =~ "201[69]") audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10: '0') <= 0)
audit(AUDIT_OS_SP_NOT_VULN);
share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows 10
hotfix_is_vulnerable(os:"10", file:"Kerberos.dll", version:"10.0.10586.3", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:"3105211") ||
hotfix_is_vulnerable(os:"10", file:"Kerberos.dll", version:"10.0.10240.16590", dir:"\system32", bulletin:bulletin, kb:"3105213") ||
# Windows 8.1 / 2012 R2
hotfix_is_vulnerable(os:"6.3", file:"Kerberos.dll", version:"6.3.9600.18091", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 8 / 2012
hotfix_is_vulnerable(os:"6.2", file:"Kerberos.dll", version:"6.2.9200.21674", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.2", file:"Kerberos.dll", version:"6.2.9200.17557", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 7 / 2008 R2
hotfix_is_vulnerable(os:"6.1", sp:1, file:"Kerberos.dll", version:"6.1.7601.23249", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.1", sp:1, file:"Kerberos.dll", version:"6.1.7601.19043", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Vista / 2008
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Kerberos.dll", version:"6.0.6002.23835", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Kerberos.dll", version:"6.0.6002.19525", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_warning();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}