MS12-083: Addressing a missing certificate revocation check in IP-HTTPS

MS12-083 is being released to address a Security Feature Bypass, a class of vulnerability for which we do not frequently release security updates. This is the third such instance, with MS12-001 and MS12-032 previously having addressed Security Feature bypasses. The security feature being bypassed in the case of MS12-083 is the revocation check in IP-HTTPS. This “IP-HTTPS” component is used in Direct Access environments. This vulnerability allows a revoked computer certificate to be accepted for authentication.

What is the security feature being bypassed?

A Direct Access server can be configured to allow a number of different tunneling protocols. One could use Teredo, 6to4, native IPv6, or IP-HTTPS. IP-HTTPS is intended to be the most secure way of connecting to a Direct Access Server as it offers initial client and server authentication. However, in the case of the vulnerability being addressed by MS12-083, the IP-HTTPS server does not properly check client certificates for revocation. This would allow an attacker to use a revoked computer certificate and establish the IP- HTTPS tunnel for further communication.

How severe is the security bypass of IP-HTTPS revocation check?

This attack is only possible with a revoked computer certificate from a certificate authority that is trusted by the IP-HTTPS server. Although this vulnerability allows the creation of the outer IP-HTTPS tunnel with a revoked certificate, valid domain credentials and IPsec tunnel certificate are required to establish the IPsec tunnels (Infrastructure & Intranet tunnels) and access internal resources.

By establishing an IP-HTTPS tunnel to the DA Server, the client will get an IPv6 interface to connect to the DA Server. An attacker could use this interface to see the IPv6 addresses of other clients when these clients perform duplicate IPv6 address detection and other standard IPv6 neighbor discovery. Knowing the IPv6 address of other clients in the network, the attacker could leverage any other network vulnerabilities.

What is the most likely attack scenario?

As described above, this vulnerability allows a client to access the network even after his certificate has been revoked. Therefore, the most likely attack scenario is that of an employee who has been terminated or who has lost physical control of his laptop. In both cases, simply revoking the certificate would provide a false sense of security on systems where this security update has not yet been installed.

How to mitigate this vulnerability?

This security update comprehensively addresses the vulnerability. To mitigate the issue without the security update, we suggest disabling the computer account in Active Directory at the same time the certificate is revoked. Doing so will prevent the IP-HTTPS tunnel from being created.

– Gangadhara Swamy and Ali Rahbar, MSRC Engineering