CVE-2015-0015

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server versions 2003 SP2, 2008 SP2 and R2 SP1, and 2012 Gold and R2

Description This issue allows remote attackers to cause a denial of service condition, resulting in a system hang and RADIUS outage, by sending crafted username strings to either the Internet Authentication Service (IAS) or the Network Policy Server (NPS). An unauthenticated attacker could exploit this to prevent RADIUS authentication, causing the target system to stop responding. Note that this does not allow code execution or user rights elevation. Network Policy Servers that allow remote, untrusted user authentication are particularly at risk.

Recommendations For Microsoft Windows Server 2003 SP2, update to a version that includes the fix for this issue. For Microsoft Windows Server 2008 SP2 and R2 SP1, update to a version that includes the fix for this issue. For Microsoft Windows Server 2012 Gold and R2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Internet Authentication Service (IAS) or Network Policy Server (NPS) to minimize the risk of exploitation.