Background: The Enterprise Vulnerability Management System (eVMS)/Tenable plugin ID 48762 – MS KB2269637: Insecure Library Loading Could Allow Remote Code Execution – is a high severity vulnerability that has been found on thousands of USGS computer systems. Deploying the Microsoft patch for this vulnerability is a pre-requisite to remediation, but does not fully remediate. To complete the remediation, the CWDIllegalInDllSearch registry key must be created and set to a value of 1 or 2. Value 0 sets the default DLL search path to use the default. Value 1 blocks a DLL load from the current working directory if the current working directory is a WebDAV folder. Value 2 blocks a DLL load from the current working directory is set to a remote folder, including WebDAV or a UNC location. For more detailed information, see: Microsoft Support Page
GPO Description: System Administrators can use a Group Policy Object to remediate this vulnerability. Three GPOs were created in the GS domain for sites who wish to use this method. The GPOs use a registry preference setting to update the CWDIllegalInDllSearch registry value. If the registry entry does not exist, it is created. If it does exist, the value is updated. The GPOs are as follows:
DI – BWTST CWDIllegalDllSearch Value 0 – Sets the registry setting to value 0.
DI – BWTST CWDIllegalDllSearch Value 1 – Sets the registry setting to value 1.
DI – BWTST CWDIllegalDllSearch Value 2 – Sets the registry setting to value 2.