One week after “Patch Tuesday” and contrary to standard operating procedures Microsoft has released a Critical security update (MS14-068) to fix a security hole in all supported versions of Windows. MS14-068 addresses a vulnerability in the Kerberos Key Distribution Center (KDC) component, used within a domain environment for authenticating users. The vulnerability allows an unprivileged authenticated user to elevate their privileges to those of a domain administrator. The KDC component is available remotely and the vulnerability can be initiated as long as the miscreant has domain credentials. This has severe consequences for businesses and shows why Microsoft took steps to release an out-of-band patch. The patch was actually rumored to have been included in November’s patch cycle and then pulled last minute.
Additional Information
The vulnerability takes advantage of improper validation of signatures, which can allow certain elements of a service ticket to be forged. An attacker can trick the KDC by sending forged tickets impersonating any user in the domain, resulting in compromise of the domain. The vulnerability was privately reported to Microsoft however, within the Bulletin released, Microsoft stated that they were “aware of limited targeted attacks that attempt to exploit the vulnerability.”
Quick reminder about Kerberos: http://msdn.microsoft.com/en-us/library/bb742516.aspx
When the user first authenticates to the Authentication Service (AS) they are passed through the KDC and provided a TGT (Ticket Granting Ticket). The TGT contains an area called PAC (Privilege Attribute Certificate), which holds the user’s information. When the user wants to access a service they will present their TGT to the KDC, which will validate the PAC information and copy it to the ST (Service Ticket). The ST is then used to gain access to a service. The break down in validation occurs in the way that PAC information is validated. MS14-068 amends the way in which the validation occurs.
Log Analysis
As per the instructions in the following blog post http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx, it is possible to detect attempts to execute this vulnerability. However, it should be noted that log data can be amended and should not be relied on for identification of earlier exploitation.
Patch-Patch-Patch
It is therefore recommended that all Domain Controllers in your environment be updated immediately with all other servers being updated in due course. The priority is Domain Controllers due to their overarching dominion of all other entities within the network.
Now for some scaremongering, the only assurance you can have that you have not been ‘pwned’ is to rebuild your entire domain. This is due to the multiple ways in which it is possible to hide backdoors and amend entities or information stored in an Active Directory Domain.