Windows SAM and LSAD Downgrade Vulnerability

ID MS:CVE-2016-0128
Type mscve
Reporter Microsoft
Modified 2016-04-12T07:00:00


An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect them adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.

To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user.

The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.