CVE-2016-3228
published 2016-06-16CVE-2016-3228: Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a crafted…
PriorityP259high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
13.34%
95.9th percentile
Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a crafted NetLogon request, aka "Windows Netlogon Memory Corruption Remote Code Execution Vulnerability."
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_itanium-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_itanium-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target attack surface is the NetLogon service on domain controllers; monitor for anomalous or crafted NetLogon requests originating from domain-authenticated users ↗
- →Scope detection to Windows Server roles only (2008 SP2, 2008 R2 SP1, 2012 Gold, 2012 R2); workstation OS is not affected ↗
- ·Exploitation requires domain authentication; unauthenticated remote exploitation is not possible, reducing external attack surface but elevating insider/lateral-movement risk ↗
- ·Security update KB3161561 is shared across bulletins MS16-075 and MS16-076; ensure it is only applied once and not double-counted in patch compliance tracking ↗
- ·As of advisory publication, the vulnerability had not been publicly disclosed or exploited in the wild, but exploitation on older software releases is rated 'Less Likely' ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows NetLogon Memory Corruption Remote Code Execution Vulnerability
vendor_msrc·2016-06-14·CVSS 8.8
CVE-2016-3228 [HIGH] Windows NetLogon Memory Corruption Remote Code Execution Vulnerability
Windows NetLogon Memory Corruption Remote Code Execution Vulnerability
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
To exploit the vulnerability, a domain-authenticated attacker could make a specially crafted NetLogon request to a domain controller. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
This update corrects how Windows handles objects in memory to prevent corruption.
FAQ: Why is security update 3161561 in this bulletin also den
GHSA
GHSA-573f-j78f-p7gp: Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a craf
ghsa_unreviewed·2022-05-14
CVE-2016-3228 [HIGH] CWE-20 GHSA-573f-j78f-p7gp: Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a craf
Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a crafted NetLogon request, aka "Windows Netlogon Memory Corruption Remote Code Execution Vulnerability."
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
## Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer .
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated Critical Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer.
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated CriticalMicrosoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this relea
2016-06-16
Published