Vulnerability in Kerberos Allows Elevation of Privilege
Recently, Microsoft has released a security update (MS14-068) for Windows Server. The patched vulnerability is in the Windows Kerberos Key Distribution Center (KDC), which generates the session tickets to identities within Active Directory while accessing the Domain’s resources. When clients request access to a resource, they contact the ticket-granting service in the target resource domain, present their TGT, and ask for a session ticket to the resource. This ticket is valid for the period of ‘Maximum lifetime for service ticket’ setting, as defined in the Kerberos policy of the domain (default is 10 hours).
The vulnerability allows the attacker to elevate a standard (unprivileged) domain user account (validated domain account) to the level of ‘Domain Admins’ accounts by allowing remote authenticated domain users to obtain domain administrator privileges via a forged Kerberos session ticket containing a tempered PAC (Privilege Attribute Certificate) structure.
This update is rated as Critical for all supported editions of Microsoft Windows Server 2003 2012 R2 and is delivered to Windows Clients 7 SP1 8.1 as a preventative step (no security impact). Domain controllers that are configured to act as a Kerberos Key Distribution Center are primarily at risk. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.
The vulnerability was reported to Microsoft by the Qualcomm Information Security & Risk Management team.
This security vulnerability comes out just a week after another security vulnerability in Active Directory component (Microsoft Secure Channel Schannel) reported (MS14-066, CVE-2014-6321).