Microsoft Sounds Zero-Day WarningEmergency Fix For Crypto Flaw in Windows Kerberos
Microsoft has issued an emergency fix for a vulnerability in Windows Kerberos that is being actively exploited via in-the-wild attacks that target Windows Server 2008 and 2008 R2.
See Also: 2016 State of Threat Intelligence Study
The Kerberos protocol is used to authenticate users and services on otherwise open and unsecured networks, using shared keys. But according to Microsoft's new MS14-068 security alert, the Kerberos Key Distribution Center - which authenticates clients inside an Active Directory domain - is vulnerable to a privilege-escalation attack, which could allow an attacker to remotely gain administrator-level privileges. "An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers," warns Microsoft, noting that it is "aware of limited, targeted attacks that attempt to exploit this vulnerability."
Microsoft has rated the vulnerability as "critical" for servers, and says it affects all supported versions of Windows Server including Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2. Microsoft says it's also issuing a related update "on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1," to help mitigate related types of attacks. But the company has abstained from assigning a related vulnerability rating to those PC versions of Windows, saying that the flaw itself isn't present in those systems.
"The problem stems from a failure to properly validate cryptographic signatures, which allows certain aspects of a Kerberos service ticket to be forged," says Craig Young, a security researcher at threat detection firm Tripwire. "The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain."
An attacker could abuse the cryptographic Kerberos ticketing system to gain access to normally off-limits parts of a network. "Kerberos tickets are a bit like hotel room keys that are encoded at the front desk after a security check, and then handed over to give you access, for a limited period, to specific parts of the building," says Paul Ducklin, head of technology for Asia-Pacific at anti-virus vendor Sophos, in a blog post.
Related attacks can also be launched by anyone in possession of valid domain credentials. "This is a really big issue, because anyone with a valid domain username and password can simply add a valid token - or as it's called in Windows, a privileged access certificate - that then gives them the domain admin rights, and [then] it's very, very easy to create another domain admin account, hide your tracks ... and sit pretty, [using] that domain admin account for server exploitation and exfiltration of critical data," says Gavin Millard, technical director for Europe, the Middle East and Africa at network monitoring firm Tenable Network Security.
After Exploit: Wipe, Rebuild
If attackers are able to successfully compromise an Active Directory domain using this vulnerability, Microsoft says affected domains will need to be wiped. "The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," says Joe Bialek, an engineer with the Microsoft Security Response Center, in a blog post. "An attacker with administrative privileges on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately."
Furthermore, spotting related attacks against unpatched networks may be difficult, because exploits can be written that will bypass any domain controller event logs that IT administrators may be capturing. "Please note that this logging will only catch known exploits; there are known methods to write exploits that will bypass this logging," Bialek says.
When it comes to patching the flaw, Microsoft recommends first patching all domain controllers that run Windows Server 2008 R2 or older. As noted, these are the versions of servers that have been targeted by in-the-wild attacks. Second, it recommends patching domain controllers running Windows Server 2012 and above, because "domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit," Bialek says. Finally, Microsoft recommends hardening all non-domain controllers that run Windows, using provided "defense in depth" updates, to help mitigate related attacks against domain controllers.
Tenable's Millard says it's unusual for Microsoft to issue such a "very, very strongly worded" advisory, which underscores the need to patch this flaw as quickly as possible. "If you've got a queue of patches that you're planning on deploying within the infrastructure, MS14-068 should really jump to the front of the queue and be deployed immediately," he says.
Tenable's Gavin Millard discusses how the Kerberos flaw could be exploited via password dumps.
So far, Microsoft has declined to release more information about the related in-the-wild attacks, including the intended victims. But it did credit the discovery of the flaw to the information security and risk management team at Qualcomm, including cybersecurity engineer Tom Maddock.
The Windows Kerberos fix follows Microsoft releasing last week a number of other security fixes - including four "critical" updates - as part of its regularly scheduled monthly patch release. One of the updates published by Microsoft included a patch for the Microsoft Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms (see Microsoft Patches Schannel Vulnerability). The Schannel vulnerability has yet to be exploited via in-the-wild attacks. But that may soon change, given the recent release of proof-of-concept attack code by security firm Immunity for its Canvas vulnerability exploitation toolkit.