ADVISORY: Microsoft Windows critical KDC privilege escalation vulnerability MS14-068 (CVE-2014-6324)

Tuesday, November 18, 2014

This information was sent to U-M Windows administrators and the IT Security Community on November 18, 2014.

This message is intended for U-M IT staff who are responsible for maintaining and running university Microsoft domain controllers. A security vulnerability was announced today that requires immediate remediation. Please read the advisory below to see if servers for which you are responsible are affected and take action if appropriate.

Summary: 

Microsoft has released an out-of-band update to resolve a remote elevation of privilege vulnerability in implementations of the Kerberos KDC in Microsoft Windows. Microsoft acknowledges that exploitation of this vulnerability has been occurring in targeted attacks. People who are responsible for Microsoft domain controllers should apply the update immediately.

Problem: 

A flaw in Microsoft’s implementation of the Kerberos KDC in Windows can be exploited to elevate privileges within a Windows domain. An attacker must already have valid credentials for any user within the domain. Successful exploitation would allow an attacker to impersonate any account within a Windows domain, including domain administrators.

Affected Systems: 

Please note that while Microsoft lists Windows Vista, Windows 7, and Windows 8 as being affected, this vulnerability is only critical for Windows servers.

Microsoft indicates that exploitation is more difficult on Windows Server 2012 than on Windows Server 2003 or Windows Server 2008.

Affected systems include Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1.

Action Items: 

Apply the update to all Microsoft domain controllers as soon as possible. Because domain controllers are a critical Microsoft infrastructure component, IIA recommends applying the update in a test environment prior to applying the update in production environments.

  • Domain controllers running on Windows 2003 or Windows 2008 should be updated as quickly as possible.
  • The level of urgency for domain controllers running on Windows 2012 is slightly lower than for Windows 2003 and Windows 2008.
  • Accelerated deployment of the update for all affected Windows systems should be done after sufficient testing in your environment.

The update requires a reboot.

Threats: 

Microsoft acknowledges that target attacks that attempt to exploit this vulnerability are already occurring.

Technical Details: 

The vulnerability is due to a failure of the Microsoft Kerberos KDC implementations to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged.

Detection: 

Microsoft has shared attack detection details in their blog post “Additional information about CVE-2014-6324” (see the "References & Additional Information" section below)

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.