The Windows Kerberos Vulnerability: What You Need to Know
A mythological three-headed dog was supposed to guard the gates of Redmond. But it turns out that Kerberos was very poorly implemented in numerous versions of Microsoft Windows.
On November 18th, Microsoft released a crucial security bulletin. A severe vulnerability existed in Windows that can be exploited for privilege escalation attacks.
Here’s a list of the operating systems with the reported bug:
- Windows Server 2003 (Service Pack 2, 32-bit, 64-bit, and Itanium)
- Windows Server 2008 (Service Pack 2, 32-bit, 64-bit, and Itanium)
- Windows Server 2008 R2 (64-bit, and Itanium)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Vista (Service Pack 2, 32-bit, and 64-bit)
- Windows 7 (Service Pack 1, 32-bit, and 64-bit)
- Windows 8 (32-bit, and 64-bit)
- Windows 8.1 (32-bit, and 64-bit)
Kerberos is a protocol for network authentication. It’s a project of the Massachusetts Institute of Technology (MIT), and its first stable version was released all the way back in 1987. The latest stable release of Kerberos is krb5-1.13, as of October 15th, 2014.
It allows nodes to communicate more securely through insecure networks, such as most internet protocols, like HTTP and FTP.
It works by using tickets to authenticate authorized clients to authorized servers, and vice versa- thus mitigating man-in-the-middle and reply attacks. Both the client and the server authenticate each other with packets sent through the Kerberos protocol, usually designated to UDP port 88.
Kerberos uses symmetric cryptographic algorithms, and may use public-key cryptography. Between the client and server, a Kerberos authentication server acts as the trusted third party. The authentication server forwards client usernames to a key distribution center (KDC). Kerberos 5 (krb5-x) uses AES with 128-bit blocks and key sizes of 128 or 256 bits. Legacy versions of Kerberos used DES, which is incredibly insecure these days.
MIT’s Kerberos software is FOSS (opensource), but under a BSD-like license rather than a share-alike “copyleft” sort of license, such as the GNU General Public License. Therefore, MIT’s Kerberos code may be freely used and distributed, but not modified.
The version of Kerberos that MIT develops (krb) is used in BSD/Unix and GNU/Linux kernel operating systems. Microsoft has their very own version of Kerberos, krw, for their proprietary NT kernel.
Kerberos in Windows
Microsoft Windows implements Kerberos (the krw version) in Active Directory. The moment a user logs into a Windows client that’s a part of a Windows Server network, Active Directory uses Kerberos to authenticate that user, but via the RC4 stream cipher. In a Windows-based network, Kerberos is also used when a client authenticates into a machine with network shared partitions and applications.
As the user inputs their username and password into an Active Directory login, a one-way hash is generated from the password, so that the password can be transmitted in ciphertext as opposed to plaintext. That may mitigate a man-in-the-middle attack during the Windows Server authentication process.
That password hash is sent to the authentication server. If its a match for that user, a Ticket to Get Tickets (TGT) is created by the Ticket Granting Service (TGS). Both the AS and the TGS are components of Microsoft’s Key Distribution Center. But they’re separate. Because they’re separate, the user’s TGT may be used to acquire tickets from a TGS in another domain.
So, What Was Microsoft’s Kerberos Bug?
Hashes are verified by checksums. The bug that Microsoft announced on November 18th is a checksum vulnerability, designated as CVE-2014-6324.
The checksum function in Microsoft’s Kerberos implementation was allowing false positive password hashes to authenticate users- both users who make a mistake when typing their passwords, and possible attackers. In a nutshell, Active Directory could’ve been treating incorrect passwords as if they were correct. That completely negates the purpose of passwords in the first place.
That left the door wide open for privilege escalation attacks, because Kerberos authentication in all of those versions of Windows wasn’t working properly.
Here’s how those privilege escalation attacks could be executed. My hypothetical attacker is an authenticated domain user. That attacker could send Microsoft’s KDC a forged TGT with malicious data that spoofs the user as an adminstrator in that same domain. Of course, user accounts generally have much more limited privileges in an operating system and its network, and an administrator usually has full privileges- the rough equivalent of root in a BSD/Unix or GNU/Linux system.
Imagine the potential for a disgruntled employee to seek revenge upon their employer! Good implementation of well-designed IT security policy mitigates the risk of internal attacks. But for that policy to actually work, the software supporting user account authentication must have as few vulnerabilties as possible.
The bug Microsoft announced on November 18th has immense implications. Windows is still the most popular computing platform in office networks worldwide, and Active Directory manages all Windows client to Windows server authentication.
So, Is There a Patch?
Yes, there is. Normally, Microsoft releases operating system patches on Tuesday, at least once or twice per month. Microsoft used to call it Patch Tuesday, for connotational reasons, they now call it Update Tuesday.
But because Microsoft designated the bug a “critical” aggregated severity rating, their patch to address it was pushed to all applicable client and server versions of Windows on the day their security bulletin was released, November 18th, 2014.
If for whatever reason, your Windows machine hasn’t installed the patch, there are two things you could try.
Your Windows machine may have received the patch, but it requires a reboot for installation. Shut down your Windows machine from the Start menu. Before your computer turns off, it’ll install the patch if it has it. Leave your machine alone, but watch your monitor carefully for indication that the patch is being installed.
If you don’t see a screen that indicates that an update is being installed, you should then manually download the patch.
Boot up your Windows machine again. Make sure that you have effective connectivity to the internet. From Internet Explorer, go to https://update.microsoft.com/microsoftupdate/ . From there, you can find the patch for your version of Windows.
Once you execute the file, let it do its thing. You may have to reboot your machine for the update to be installed.
Afterwards, make sure that you go into your Control Panel, and enable all recommended security updates within Windows Update! Then, you won’t have that sort of hassle in the future. You should get security patches automatically for the duration of the support of your version of Windows.
This should be a wakeup call to information security professionals. Kerberos can be very effective, but it’s notoriously difficult to implement.
Penetration test all systems that use Kerberos. Not just Windows systems with krw, but also Mac, BSD/Unix, and GNU/Linux systems with krb. If you find any Kerberos implementation vulnerabilties, create and send bug reports.
Microsoft Security Bulletin MS14-068
Kerberos at MIT
Kerberos for Windows Release 4.0.1
MIT Kerberos Consortium
Kerberos in Active Directory- Brian Desmond, Windows IT Pro
Basic Concepts for the Kerberos Protocol- Microsoft TechNet
Kerberos Explained- Microsoft Developer Network