Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Thursday, November 20, 2014

CVE-2014-6324: Elevation of Privilege Vulnerability in Kerberos in Windows - Microsoft, are you Kidding?


Earlier today, Microsoft released a critical emergency security patch MS14-068 to help organizations patch a vulnerability in Kerberos that could allow elevation of privilege.

This is a very serious vulnerability because it could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could then use these elevated privileges to compromise any computer in the domain, including domain controllers.

Quoting from here -

"This vulnerability stems from the way in which Windows Kerberos validates the PAC in Kerberos tickets. Prior to the update it was possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator."

Microsoft, seriously, are you kidding?

You are arguably the 3rd most powerful company in the world, you know that virtually the entire world is operating on Microsoft Windows, more importantly, that most business and government organizations operate on Microsoft Windows Server, and you go 14 long years without someone internally finding this vulnerability!

I mean, this isn't your ordinary vulnerability. After all, it allows a perpetrator to forge a Kerberos PAC!

With all due respect, you've got to better than this. With the entire world running on Microsoft Windows, you bear a great onus, and that is to ensure that you minimize the existence of such highly damaging vulnerabilities in Windows.

I don't care if you have to spend a $ billion to enhance your internal security research. You're a $400B company, so a petty $B is nothing in contrast. My humble suggestion to you is to take this stuff very seriously and go to the greatest lengths to ensure that such critical vulnerabilities are identified and eliminated ASAP.

From our side, we're doing our best to help organizations worldwide address the world's #1 cyber security risk to Microsoft Windows environments, Active Directory Privilege Escalation, and by the same token, we expect you to do the best when it comes to ensuring that such code-based vulnerabilities are identified and fixed.

Best wishes,

PS: Folks, this blog post is short by intention, and aimed at helping organizations understand that this is a very critical vulnerability and that they should apply this patch immediately.