HackDig : Dig high-quality web security articles for hackers

Microsoft releases patching guidance for Kerberos security bug

2020-11-20 14:31

Microsoft releases patching guidance for Kerberos security bug

Microsoft has released additional details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Center) patched during this month's Patch Tuesday.

The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).

Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.

Updates needed for mitigation

Microsoft released security updates to address the Kerberos KDC security feature bypass earlier this month, during November 2020's Patch Tuesday.

However, as Microsoft's Japan Security Team said, "[a]ddressing this vulnerability requires not only deploying security updates to all DCs (Domain Controllers) and RODCs (Read-Only Domain Controllers) in the forest, but also additional response steps."

As of November 19, 2020, these are the updates admins can deploy to mitigate the vulnerability on DC and RODC servers on their network.

Windows ServersKnowledge Base number
Windows Server 20124586834 (Monthly Rollup)
4586808 (Security Only)
Windows Server 2012 R24586845 (Monthly Rollup)
4586823 (Security Only)
Windows Server 20164586830
Windows Server 20194586793
Windows Server, version 1903/19094586786
Windows Server, version 2004 / 20H24586781

Additional steps for full mitigation

To fully mitigate the vulnerability on impacted domain controller servers, Microsoft also recommends taking extra steps before installing the update.

The additional steps require admins to make sure that the PerformTicketSignature setting in the Kdc registry subkey at HKEY_LOCAL_MACHINESystemCurrentControlSetServicesKdc is set to 1 to avoid causing the S4USelf feature of Kerberos to become non-functional when the subkey is set to 0.

The procedure to be followed for the correct deployment of the CVE-2020-17049 security update involves setting the Kdc registry to 1 before installing the actual update to DC servers:

  1. Locate the Kdc registry subkey, and if it exists on the system, ensure that it is set to 1.
  2. Complete the deployment to all DCs (and Read-Only DCs) in your forest.

Kerberos authentication issues

However, patching CVE-2020-17049 will cause some domain controllers to potentially encounter Kerberos authentication and Kerberos ticket renewal issues as Microsoft revealed on the Windows Health Dashboard on November 16.

The issue only impacts Windows Servers, Windows 10 devices, and vulnerable applications in enterprise environments.

Experienced problems include authentication issues when using S4U scenarios, cross-realm referrals failures on both Windows and non-Windows devices for Kerberos referral tickets, as well as certain non-compliant Kerberos tickets being rejected, depending on the value of the PerformTicketSignature setting.

More details on potential issues that might be experienced after installing the CVE-2020-17049 security updates can be found here.

Two days later, the company released out-of-band (OOB) updates to address the Kerberos auth issues on all affected Windows Server versions, from Windows Server 2012 up to Windows Server 20H2.

The full list of affected Windows Server versions is available in the table below, together with the updates causing the issue and the optional OOB updates that mitigate the issue.

Affected platforms
ServerOriginating updateOOB optional update
Windows Server, version 20H2KB4586781KB4594440*
Windows Server, version 2004KB4586781KB4594440*
Windows Server, version 1909KB4586786KB4594443*
Windows Server, version 1903KB4586786KB4594443*
Windows Server, version 1809KB4586793KB4594442
Windows Server, version 1607KB4586830KB4594441*
Windows Server 2019KB4586793KB4594442
Windows Server 2016KB4586830KB4594441*
Windows Server 2012 R2KB4586845KB4594439
Windows Server 2012KB4586834KB4594438

* Updates released one day later to address the issue on all impacted Windows Server versions.

The update cannot be installed via Windows Update or Microsoft Update channels because it is only available as stand-alone packages distributed through the Microsoft Update Catalog.

Source: es-sorebrek-rof-ecnadiug-gnihctap-sesaeler-tfosorcim/tfosorcim/swen/moc.retupmocgnipeelb.www

Read:110 | Comments:0 | Tags:Microsoft security

“Microsoft releases patching guidance for Kerberos security bug”0 Comments

Submit A Comment



Blog :

Verification Code: