CVE-2016-3223
published 2016-06-16CVE-2016-3223: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10…
PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
21.09%
97.3th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandle LDAP authentication, which allows man-in-the-middle attackers to gain privileges by modifying group-policy update data within a domain-controller data stream, aka "Group Policy Elevation of Privilege Vulnerability."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for LDAP authentication traffic between domain members and domain controllers that is NOT protected by Kerberos — the vulnerability stems from mishandled LDAP authentication allowing MitM modification of group-policy update data. ↗
- →Alert on unexpected new local administrator account creation (e.g. 'TestAdmin') via Group Policy User Configuration, especially when the policy originates from an unrecognised or rogue domain controller. ↗
- →Detect forced group policy updates (gpupdate /force) initiated from a standard user session, particularly targeting user policy only (/target:user), which is the exploitation trigger in this attack chain. ↗
- →Monitor for MitM-style ARP/DNS spoofing or rogue DC activity on the network that could redirect group policy LDAP traffic; correlate with subsequent local Administrators group membership changes. ↗
- ·Exploitation requires the attacker to already know valid domain user credentials and the target machine's FQDN, limiting opportunistic exploitation to scenarios with prior credential access or network reconnaissance. ↗
- ·Domain-joined systems with Windows Server 2012+ DCs and Windows 8+ clients are protected by Kerberos armoring (FAST) and are NOT vulnerable; detection/patching focus should prioritise older OS combinations. ↗
- ·The fix enforces Kerberos authentication for the specific LDAP calls used during group policy retrieval; environments that cannot patch should consider enforcing Kerberos armoring (FAST) as a compensating control. ↗
- ·The attack requires a network connection to a fake/rogue DC to be established after the victim logs in with cached credentials; air-gapping or strict network segmentation can prevent exploitation. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8wqf-xx2r-cp34: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3223 [HIGH] GHSA-8wqf-xx2r-cp34: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandle LDAP authentication, which allows man-in-the-middle attackers to gain privileges by modifying group-policy update data within a domain-controller data stream, aka "Group Policy Elevation of Privilege Vulnerability."
Microsoft
Group Policy Elevation of Privilege Vulnerability
vendor_msrc·2016-06-14·CVSS 8.1
CVE-2016-3223 [HIGH] Group Policy Elevation of Privilege Vulnerability
Group Policy Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine.
To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user.
The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.
Windows Group Policy: Windows Group Policy
Microsoft: Microsoft
Customer Action Req
No detection rules found.
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
## Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer .
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated Critical Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer.
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated CriticalMicrosoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this relea
http://packetstormsecurity.com/files/138248/Microsoft-Windows-7-Group-Policy-Privilege-Escalation.htmlhttp://www.securitytracker.com/id/1036100https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-072https://www.exploit-db.com/exploits/40219/http://packetstormsecurity.com/files/138248/Microsoft-Windows-7-Group-Policy-Privilege-Escalation.htmlhttp://www.securitytracker.com/id/1036100https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-072https://www.exploit-db.com/exploits/40219/
2016-06-16
Published