The Windows Kerberos Vulnerability: What You Need to Know
A mythological three-headed dog was supposed to guard the gates of Redmond. But it turns out that Kerberos was very poorly implemented in numerous versions of Microsoft Windows.
On November 18th, Microsoft released a crucial security bulletin. A severe vulnerability existed in Windows that can be exploited for privilege escalation attacks.
Learn Vulnerability Management
Here's a list of the operating systems with the reported bug:
- Windows Server 2003 (Service Pack 2, 32-bit, 64-bit, and Itanium)
- Windows Server 2008 (Service Pack 2, 32-bit, 64-bit, and Itanium)
- Windows Server 2008 R2 (64-bit, and Itanium)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Vista (Service Pack 2, 32-bit, and 64-bit)
- Windows 7 (Service Pack 1, 32-bit, and 64-bit)
- Windows 8 (32-bit, and 64-bit)
- Windows 8.1 (32-bit, and 64-bit)
What's Kerberos?
Kerberos is a protocol for network authentication. It's a project of the Massachusetts Institute of Technology (MIT), and its first stable version was released all the way back in 1987. The latest stable release of Kerberos is krb5-1.13, as of October 15th, 2014.
It allows nodes to communicate more securely through insecure networks, such as most internet protocols, like HTTP and FTP.
It works by using tickets to authenticate authorized clients to authorized servers, and vice versa- thus mitigating man-in-the-middle and reply attacks. Both the client and the server authenticate each other with packets sent through the Kerberos protocol, usually designated to UDP port 88.
Kerberos uses symmetric cryptographic algorithms, and may use public-key cryptography. Between the client and server, a Kerberos authentication server acts as the trusted third party. The authentication server forwards client usernames to a key distribution center (KDC). Kerberos 5 (krb5-x) uses AES with 128-bit blocks and key sizes of 128 or 256 bits. Legacy versions of Kerberos used DES, which is incredibly insecure these days.
MIT's Kerberos software is FOSS (opensource), but under a BSD-like license rather than a share-alike "copyleft" sort of license, such as the GNU General Public License. Therefore, MIT's Kerberos code may be freely used and distributed, but not modified.
The version of Kerberos that MIT develops (krb) is used in BSD/Unix and GNU/Linux kernel operating systems. Microsoft has their very own version of Kerberos, krw, for their proprietary NT kernel.
Kerberos in Windows
Microsoft Windows implements Kerberos (the krw version) in Active Directory. The moment a user logs into a Windows client that's a part of a Windows Server network, Active Directory uses Kerberos to authenticate that user, but via the RC4 stream cipher. In a Windows-based network, Kerberos is also used when a client authenticates into a machine with network shared partitions and applications.
As the user inputs their username and password into an Active Directory login, a one-way hash is generated from the password, so that the password can be transmitted in ciphertext as opposed to plaintext. That may mitigate a man-in-the-middle attack during the Windows Server authentication process.
That password hash is sent to the authentication server. If its a match for that user, a Ticket to Get Tickets (TGT) is created by the Ticket Granting Service (TGS). Both the AS and the TGS are components of Microsoft's Key Distribution Center. But they're separate. Because they're separate, the user's TGT may be used to acquire tickets from a TGS in another domain.
So, What Was Microsoft's Kerberos Bug?
Hashes are verified by checksums. The bug that Microsoft announced on November 18th is a checksum vulnerability, designated as CVE-2014-6324.
The checksum function in Microsoft's Kerberos implementation was allowing false positive password hashes to authenticate users- both users who make a mistake when typing their passwords, and possible attackers. In a nutshell, Active Directory could've been treating incorrect passwords as if they were correct. That completely negates the purpose of passwords in the first place.
That left the door wide open for privilege escalation attacks, because Kerberos authentication in all of those versions of Windows wasn't working properly.
Here's how those privilege escalation attacks could be executed. My hypothetical attacker is an authenticated domain user. That attacker could send Microsoft's KDC a forged TGT with malicious data that spoofs the user as an adminstrator in that same domain. Of course, user accounts generally have much more limited privileges in an operating system and its network, and an administrator usually has full privileges- the rough equivalent of root in a BSD/Unix or GNU/Linux system.
Imagine the potential for a disgruntled employee to seek revenge upon their employer! Good implementation of well-designed IT security policy mitigates the risk of internal attacks. But for that policy to actually work, the software supporting user account authentication must have as few vulnerabilties as possible.
The bug Microsoft announced on November 18th has immense implications. Windows is still the most popular computing platform in office networks worldwide, and Active Directory manages all Windows client to Windows server authentication.
So, Is There a Patch?
Yes, there is. Normally, Microsoft releases operating system patches on Tuesday, at least once or twice per month. Microsoft used to call it Patch Tuesday, for connotational reasons, they now call it Update Tuesday.
But because Microsoft designated the bug a "critical" aggregated severity rating, their patch to address it was pushed to all applicable client and server versions of Windows on the day their security bulletin was released, November 18th, 2014.
If for whatever reason, your Windows machine hasn't installed the patch, there are two things you could try.
Your Windows machine may have received the patch, but it requires a reboot for installation. Shut down your Windows machine from the Start menu. Before your computer turns off, it'll install the patch if it has it. Leave your machine alone, but watch your monitor carefully for indication that the patch is being installed.
If you don't see a screen that indicates that an update is being installed, you should then manually download the patch.
Boot up your Windows machine again. Make sure that you have effective connectivity to the internet. From Internet Explorer, go to https://update.microsoft.com/microsoftupdate/ . From there, you can find the patch for your version of Windows.
Once you execute the file, let it do its thing. You may have to reboot your machine for the update to be installed.
Afterwards, make sure that you go into your Control Panel, and enable all recommended security updates within Windows Update! Then, you won't have that sort of hassle in the future. You should get security patches automatically for the duration of the support of your version of Windows.
This should be a wakeup call to information security professionals. Kerberos can be very effective, but it's notoriously difficult to implement.
Penetration test all systems that use Kerberos. Not just Windows systems with krw, but also Mac, BSD/Unix, and GNU/Linux systems with krb. If you find any Kerberos implementation vulnerabilties, create and send bug reports.
References
Microsoft Security Bulletin MS14-068
https://technet.microsoft.com/en-us/library/security/MS14-068
RFC 4757
https://tools.ietf.org/html/rfc4757
RFC 3962
https://tools.ietf.org/html/rfc3962
Kerberos at MIT
Kerberos for Windows Release 4.0.1
http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html
MIT Kerberos Consortium
http://www.kerberos.org/about/FAQ.html
Kerberos in Active Directory- Brian Desmond, Windows IT Pro
http://windowsitpro.com/security/kerberos-active-directory
Basic Concepts for the Kerberos Protocol- Microsoft TechNet
http://technet.microsoft.com/en-us/library/cc961976.aspx
Kerberos Explained- Microsoft Developer Network
Learn Vulnerability Management
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- The Windows Kerberos Vulnerability: What You Need to Know
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
