On the 18th November 2014, Microsoft published information relating to a vulnerability that exists within all versions of Windows, and Windows Server operating systems. The vulnerability lies within the Kerberos Key Distribution Center (KDC) in Microsoft Windows.
The vulnerability itself could allow an attacker to escalate their privileges from that of a Domain User to those of a Domain Admin. The Domain Admin would then have full control of the Windows Domain from this point. There are no publicly available exploits known to exist as of yet, however it is likely that proof of concept and exploit code will be available in the near future.
Could my organisation be vulnerable?
If your organisation uses systems with a Windows Operating System, then it is highly likely that there are vulnerable machines on your network. All versions of Windows and Windows Server are reportedly vulnerable until patched, which includes all currently supported versions. We strongly recommend resolving the issue as a matter of priority.
Microsoft report that they are aware of limited attacks that exploit this vulnerability, however no proof of concept code has been seen online as of yet. Due to the nature of this vulnerability, with the potential consequences, it is likely that a proof of concept, or working exploit will be available in the near future.
How can we detect the issue?
The best way to currently check for the presence of this flaw is to find out if the relevant ‘MS14-068’ patch has been applied. Domain Controllers should be the main priority, with servers and workstations to follow, in that order.
The SureCloud Platform has the capability to detect this missing patch via internal credentialed scans, available to those customers who have our internal on-demand scanning service. Look out for vulnerability 79311, “Vulnerability in Kerberos Could Allow Elevation of Privilege”.
Before running your scan, ensure that your internal scanning appliance is configured to conduct credentialed/privileged scans. Please open a support ticket with us if you’re not sure.
What can we do to protect our organisation?
Apply the relevant patch from Microsoft: https://support.microsoft.com/kb/3011780, with priority given to Domain Controllers running Windows Server 2008R2 and below, followed by Domain Controllers running more recent versions of Windows Server, and lastly by systems running any other version of Windows.
What should we do if our domain has been compromised?
The only certain way to ensure that a compromise of the Windows domain has been remediated is to completely rebuild the domain. An attacker with administrative privileges to the Windows domain can ensure persistent access even after the security update has been applied, which is why it is critical that this update is installed as a matter of urgency.
Get in touch
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Update
As of 5th December 2014 working exploit code was made publicly available. This Python script allows a malicious user to forge a Kerberos ticket from a valid Domain User account in order to attain Domain Admin, Enterprise Admin, Schema Admin, and Built-in Administrator (Domain Controller) privileges.
The use of this exploit in a vulnerable environment is trivial and recently allowed SureCloud consultants to escalate privileges from that of a standard Domain User to a Domain/Enterprise Administrator with relative ease.
It is therefore highly recommended that Domain Controllers within the Active Directory domain are patched with KB3011780 as soon as possible.
Microsoft Event ID 4672 ‘Special privileges assigned to new logon’ will allow IT administrators to monitor the event log in order to search for users that are not members of domain administrative security groups.
References
https://support.microsoft.com/kb/3011780
https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
https://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
https://isc.sans.edu/diary/Microsoft+November+out-of-cycle+patch+MS14-068/18967
https://blog.beyondtrust.com/a-quick-look-at-ms14-068
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.
