After a short delay, Microsoft today delivered a critical, out-of-band patch to fix a serious Kerberos security...
vulnerability in Windows.
MS14-068 resolves one privately reported vulnerability, CVE-2014-6324, in the Kerberos Key Distribution Center (KDC). According to Microsoft documentation, KDC is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.
The flaw could allow an attacker to elevate an unprivileged domain user account to a domain administrator account. In the bulletin, Microsoft noted that an attacker could exploit any system within a domain, including domain controllers, though valid domain credentials are required.
The vulnerability affects all currently supported versions of Windows and Windows Server; Microsoft said it has spotted the issue being used as part of what it called "limited, targeted attacks."
The bulletin was originally scheduled as part of Microsoft's November 2014 Patch Tuesday release, but was unexpectedly withheld by the company. Altogether, Microsoft has now issued five critical patches this month.
In a supplemental blog post, Joe Bialek, software security engineer with the Microsoft Security Response Center (MSRC), said that current exploits in the wild have "targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below." As a result, enterprises should prioritize applying the patch for domain controllers running Windows Server 2008R2 and older, though Windows Server 2012 domain controllers should still be addressed despite being more difficult to exploit.
Bialek added that enterprises can detect known exploits targeting the flaw if they collect event logs from domain controllers. The "Security ID" and "Account Name" fields in log entries should match, he noted, but they won't in the case of an exploit.
"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed," wrote Bialek. "Therefore it is critical to install the update immediately."
Chris Goettl, product manager for LANDesk Software Inc.'s Shavlik third-party patching business unit, based in New Brighton, Minn., said that an attacker could exploit the vulnerability by sending a forged Kerberos ticket to the Kerberos KDC that claims a user as a domain administrator. From there, Goettl said they could impersonate any domain account, add themselves to any group, install programs and create new accounts.
"If there is a silver lining in this one, it is in the fact that the attacker must have a valid domain user account to exploit the vulnerability," said Goettl. "But once they have done so, they have the keys to the kingdom.
"This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together," Goettl added. "Our recommendation [is to] include this in your patch cycle ASAP."
The November Patch Tuesday release may now have five critical bulletins, but the October haul also featured fixes for four active zero-day vulnerabilities. Catch up on our coverage.