TA14-323A: Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA14-323A: Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability [ 
https://www.us-cert.gov/ncas/alerts/TA14-323A ] 11/19/2014 03:20 AM EST 
Original release date: November 19, 2014

Systems Affected

  * Microsoft Windows Vista, 7, 8, and 8.1 
  * Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2 

Overview

A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in 
Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1 [ http://1. 
https://technet.microsoft.com/library/security/MS14-068 ]]

Description

The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow 
aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account 
privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this 
vulnerability.

Impact

A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the 
domain, including the domain controller. [2 [ http://www.kb.cert.org/vuls/id/213119 ]]

Solution

An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security 
and Defense Blog for more details, and apply the necessary updates.[1 [ 
http://technet.microsoft.com/library/security/MS14-068 ], 3 [ 
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx ]] 

References

  * Microsoft Security Bulletin MS14-068  [ https://technet.microsoft.com/library/security/MS14-068 ] 
  * Vulnerability Note VU#213119 [ http://www.kb.cert.org/vuls/id/213119 ] 
  * Microsoft Security Research and Defense Blog [ 
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx ] 

Revision History

  * November 19, 2014: Initial Draft 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]