Kerberos Vulnerability Could Lead to Elevation of Privileges
On Tuesday, one week after their traditional Patch Tuesday, Microsoft pushed out MS14-068, a patch to address a vulnerability in the Windows Kerberos implementation that allows for the elevation of privilege. As Microsoft noted, this vulnerability has already been exploited in several limited attacks. For your protection, you should update Windows immediately to implement this patch.
Kerberos is a network authentication protocol that Windows adopted as their standard from Windows 2000 onward. In short, Kerberos works like this:
1. A user logs into a client system using their username and password, and requests a Ticket to Get Tickets (TGT) from an Authentication Service (AS).
2. The AS sends back a TGT that the client system can decrypt using its password hash.
3. After decrypting the TGT, the client sense it to the Ticket Granting Service (TGS).
4. The TGS sends a Service Ticket to the client.
5. The client sends the Service Ticket finally to the Network Server and is authenticated.
Both the TGT and the ticket contain a piece of data known as a Privilege Attribute Certificate (PAC), which contains information about the user, most importantly the user’s domain security identifier (SID) and the security groups that the user is a member of. Prior to this patch, Windows Kerberos could incorrectly validate forged PACs, which could allow an attacker to elevate the privilege of an account, allowing them to change that account from being an unprivileged authenticated user to a full domain administrator. Combined with the various methods attacks have to compromise accounts, this could be used to grant full domain access to an attacker.
According to Microsoft, this exploit was found being used on domain controllers running on Windows Server 2008R2 and below. However, domain controllers running 2012 and above are vulnerable to a related (but notably more difficult) attack. Non-domain controllers running all versions of Windows are not vulnerable to this issue, but are being patched as an added layer of protection.
As we advised in one of our previous blogs, keeping your system up to date on the latest patches is one of the best methods for preventing vulnerabilities such as this from becoming an issue.