Microsoft has issued an emergency fix for a vulnerability in Windows Kerberos that is being actively exploited via in-the-wild attacks that target Windows Server 2008 and 2008 R2.
The Kerberos protocol is used to authenticate users and services on otherwise open and unsecured networks, using shared keys. But according to Microsoft’s new MS14-068 security alert, the Kerberos Key Distribution Center – which authenticates clients inside an Active Directory domain – is vulnerable to a privilege-escalation attack, which could allow an attacker to remotely gain administrator-level privileges. “An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers,” warns Microsoft, noting that it is “aware of limited, targeted attacks that attempt to exploit this vulnerability.”
The problem stems from a failure to properly validate cryptographic signatures, which allows certain aspects of a Kerberos service ticket to be forged. An attacker could abuse the cryptographic Kerberos ticketing system to gain access to normally off-limits parts of a network. Related attacks can also be launched by anyone in possession of valid domain credentials. “This is a really big issue, because anyone with a valid domain username and password can simply add a valid token – or as it’s called in Windows, a privileged access certificate – that then gives them the domain admin rights, and [then] it’s very, very easy to create another domain admin account, hide your tracks.