Another critical flaw in Windows Kerberos

The November 12 Patch Tuesday revealed that Microsoft Security had addressed some 92 Common Vulnerabilities and Exposures (CVEs). One of the most critical was an update for CVE-2024-43639. a remote code execution (RCE) vulnerability affecting Windows Kerberos.

If you remember your Greek mythology, Kerberos was the three-headed dog (also called Cerberus) that guarded the gates of the underworld for Hades. It's an apropos moniker for the network authentication protocol which uses tickets and symmetric-key cryptography to verify the identity of users and hosts within a network. The system was developed by MIT in the 1980s and has been fairly robust. While the protocol has strong security principles, the implementation details can vary among different systems and vendors. CVE-2024-43639 is specific to Microsoft’s implementation of Kerberos.

So far, we are not aware of anyone exploiting this in the wild; but it is a particularly critical issue (CVE rating 9.8/10.0) in that it is an RCE vulnerability affecting all versions of Windows Server. While Microsoft rated it as "less likely" to be exploited due to the difficulty of crafting an exploit, you can be rest assured that nation-state threat actors have already figured it out and are holding on to zero-days. So, make sure you get those updates installed ASAP!

In general, any exploit that does not require user interaction and allows for unauthenticated RCE is "wormable." Remember Code Red, Nimda, and Conficker?

So, how is Kerberos considered a three-headed monster? As shown in the figure below, we have the following:

1. User logs into the Authentication Server (AS) which validates the credentials and issues a Ticket-Granting Ticket (TGT).
2. User presents the TGT to the Ticket-Granting Server (TGS) to request access to a service (e.g., file, email, Web, etc.). The TGS validates the TGT and provides a ticket for the service.
3. User provides the ticket for the service. The service validates the ticket and performs the service.

Note that the Key Distribution Center (KDC), the blue shaded part of the image, encompasses both the AS and the TGS.

The CVE-2024-43639 vulnerability was reported by two researchers from a Chinese cybersecurity company called Kunlun Lab. While Microsoft did not provide any details about the specific cryptographic weakness or the exact exploitation method, it appears that the flaw lies in the improper handling of certain cryptographic operations within the KDC.?This allows an attacker to craft a special request that can bypass the usual cryptographic checks, potentially leading to unauthenticated RCE. I'll await more details to come out before updating this article.

Looking back on some similar attacks of the past, we have the following:

• CVE-2020-17049 aka "Kerberos Bronze Bit Attack" (excellent writeup by Jake Karnes ) was a vulnerability within the KDC that enabled attackers to bypass security restrictions by manipulating service tickets, essentially allowing them to impersonate users and gain unauthorized access to systems.
• CVE-2021-42287 and CVE-2021-42278, collectively known as "noPac" or "Sam-the-Admin," were privilege escalation vulnerabilities in Active Directory that allowed a user to manipulate the sAMAccountName attribute and the Privilege Attribute Certificate (PAC) to trick the KDC into issuing a TGT for a domain controller account.
• CVE-2014-6324 was a Kerberos vulnerability that allowed attackers to elevate unprivileged domain user accounts to domain administrator level. While this one didn't have a funny title, Matt Hathaway suggested: "that Kerberos vulnerability that is being exploited in the wild to completely take over Windows domains." ??

Since we don't have Hercules around to subdue Kerberos, we recommend the following measures:

1. Implement a formal program of vulnerability management to regularly research vulnerabilities, test, and apply security patches in a timely manner.
2. Have network visibility with SIEM/SOC/Continuous monitoring and incident response in place.
3. Establish a posture of zero trust, so that, even if a malicious user is able to bypass authentication, they still can't get to any valuable data or create mischief.