CVE-2015-0006

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server 2003 SP2 Microsoft Windows Vista SP2 Microsoft Windows Server 2008 SP2 and R2 SP1 Microsoft Windows 7 SP1 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Gold and R2

Description A security issue exists in the Network Location Awareness (NLA) service, which fails to perform mutual authentication to determine a domain connection. This allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network. The vulnerability could unintentionally relax the firewall policy and/or configuration of certain services, increasing the surface exposed to an attacker.

Recommendations For Microsoft Windows Server 2003 SP2, update to a newer version to mitigate the risk. For Microsoft Windows Vista SP2, update to a newer version to mitigate the risk. For Microsoft Windows Server 2008 SP2 and R2 SP1, update to a newer version to mitigate the risk. For Microsoft Windows 7 SP1, update to a newer version to mitigate the risk. For Microsoft Windows 8, update to a newer version to mitigate the risk. For Microsoft Windows 8.1, update to a newer version to mitigate the risk. For Microsoft Windows Server 2012 Gold and R2, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the NLA service to minimize the risk of exploitation.