A vital configuration flaw in Microsoft’s AppLocker block record coverage has been found, revealing how attackers might probably bypass safety restrictions via a refined versioning error.
The problem facilities on an incorrect MaximumFileVersion worth that creates an exploitable hole in Microsoft’s utility management framework, highlighting the significance of exact safety coverage implementation in enterprise environments.
Key Takeaways1. Incorrect MaximumFileVersion (65355 vs 65535) opens an AppLocker bypass.2. Tampered binaries lose legitimate signatures, so signed-only insurance policies nonetheless cease assaults.3. Repair by updating the block-list worth and auditing all copied safety configs.
AppLocker Config Vulnerability
Varonis Risk Labs stories that the vulnerability stems from a seemingly minor however vital discrepancy in Microsoft’s recommended AppLocker configuration.
Researchers discovered that the MaximumFileVersion discipline was incorrectly set to 65355.65355.65355.65355 as an alternative of the anticipated 65535.65535.65535.65535.
This error creates a model vary hole that malicious actors might exploit to bypass utility restrictions.
The problematic configuration seems in Microsoft’s block record as:
Since 65535 represents the utmost worth for an unsigned 16-bit integer, any executable with a model quantity between 65355.65355.65355.65355 and 65535.65535.65535.65535 might theoretically slip via the coverage enforcement.
An attacker might modify a blocked executable’s model metadata to exceed the configured most, permitting it to execute regardless of being on the block record.
Whereas this discovery initially seems regarding, the sensible safety impression is considerably mitigated by Microsoft‘s layered safety method.
The AppLocker block record coverage is designed to work together with code signing necessities that solely allow signed executables to run on the system.
When an attacker modifies an executable’s model data, this course of inevitably breaks the file’s digital signature, inflicting the modified file to be blocked by the broader “signed executables solely” rule.
This multilayered safety design demonstrates that even when one management mechanism has a flaw, complementary safety measures can stop exploitation.
Nevertheless, organizations relying solely on the block record with out implementing code signing insurance policies might probably be weak to this bypass method.
Microsoft Addresses Documentation Supply
Investigation into the error’s origin traced it again to Microsoft’s personal documentation. The inaccurate 65355 worth appeared in Microsoft’s Publish Web page documentation, which has since been corrected following Varonis’s accountable disclosure.
This incident underscores how documentation errors can propagate into manufacturing safety insurance policies when directors copy configurations with out thorough validation.
The invention serves as a reminder that safety professionals should rigorously overview all coverage configurations, keep away from blind copy-pasting of safety guidelines, and implement defense-in-depth methods.
Organizations utilizing AppLocker ought to think about updating their MaximumFileVersion settings to correct values and guarantee complete utility management insurance policies are in place to stop potential bypasses.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
