Microsoft Security Bulletin MS15-017 - Important
Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Published: February 10, 2015
This security update resolves a privately reported vulnerability in Virtual Machine Manager (VMM). The vulnerability could allow elevation of privilege if an attacker logs on an affected system. An attacker must have valid Active Directory logon credentials and be able to log on with those credentials to exploit the vulnerability.
This security update is rated Important for Microsoft System Center 2012 R2 Virtual Machine Manager Update Rollup 4. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting how VMM validates user roles. For more information about the vulnerability, see the Vulnerability Information section.
For more information about this update, see Microsoft Knowledge Base Article 3035898.
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
|**Software**|**Maximum Security Impact**|**Aggregate Severity Rating**|**Updates Replaced**| |------------|------------|------------|------------| |**Microsoft System Center Virtual Machine Manager**| |Microsoft System Center Virtual Machine Manager 2012 R2 Update Rollup 4 ([VMM Server update 3023195](https://support.microsoft.com/kb/3023195))|Elevation of Privilege|Important|None|
This update addresses the vulnerability in VMM Server update 2992024.
Customers running Microsoft System Center Virtual Machine Manager 2012 R2 Update Rollup 5 Preview (VMM Server update 3011473) should download and install the Security Update for Microsoft System Center 2012 R2 - Virtual Machine Manager 2012 R2 UR5 (KB3023195) from Microsoft Knowledge Base Article 3023195 to address the vulnerability described in this bulletin.
Note If you have the Administrator Console installed on the VMM server, you must also install update 3023914 (Admin Console Update), which is available for download from Microsoft Knowledge Base Article 3023195. Install the updates in the following order:
- Update Rollup 5 for the VMM Server
- Update Rollup 5 for Administrator Console
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary.
|**Vulnerability Severity Rating and Maximum Security Impact by Affected Software**| |------------| |**Affected Software**|[**Virtual Machine Manager Elevation of Privilege Vulnerability - CVE-2015-0012**](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0012)|**Aggregate Severity Rating**| |**Software**| |Microsoft System Center Virtual Machine Manager 2012 R2 Update Rollup 4 (VMM Server update 2992024)|**Important** Elevation of Privilege|**Important**|
Virtual Machine Manager Elevation of Privilege Vulnerability - CVE-2015-0012
A vulnerability exists in Virtual Machine Manager (VMM) when VMM improperly validates user roles. The vulnerability could allow elevation of privilege if an attacker logs on an affected system. An attacker must have valid Active Directory logon credentials and be able to log on with those credentials to exploit the vulnerability. The security update addresses the vulnerability by correcting how VMM validates user roles.
To exploit this vulnerability, an attacker would first have to log on a VMM server. An attacker who successfully exploited this vulnerability could gain administrative privileges to the VMM server and take control of all virtual machines controlled by the VMM server.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.
Security Update Deployment
For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.
Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure. See Acknowledgments for more information.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 10, 2015): Bulletin published.
Page generated 2015-02-06 16:05Z-08:00.