Microsoft has pushed a patch for a critical vulnerability in its ubiquitous Kerberos protocol – which could be exploited remotely by an unauthenticated attacker. Redmond said the CVSS 9.8 vulnerability, allocated CVE-2024-43639, was reported by two researchers from a Chinese cybersecurity company, but does not see exploitation as likely.
Kerberos is the main authentication protocol for Windows enterprise networks and the vulnerability affects all versions of Windows Server. An attacker could exploit a bug in the cryptographic protocol to run code on affected systems without any user interaction, which on paper makes this wormable. The Stack will add more detail on this vulnerability and update our take when we have some more feedback on it from the community.
Action1 CEO Mike Walters suggested that "any organization using Windows domains that rely on Kerberos for authentication is at risk. This encompasses nearly every medium-to-large business, governmental organization, and any entity with a complex network infrastructure. A successful exploit could result in catastrophic breaches, including full domain compromise and unrestricted access to sensitive data."
Updated: Microsoft updated its patch notes to emphasise that in fact:
"This vulnerability only affects Windows Servers that are configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected.
The Zero Day Initiative's Dustin Childs told The Stack: "I think exploitation will be difficult due to the complexity of Kerberos itself... building a reliable exploit for a complex codebase like Kerberos is notoriously difficult. I think it's a great find by the researcher, but agree with Microsoft that we likely won't see this used in the wild."
Know more about CVE-2024-43639, why Redmond does not anticipate exploitation, or have views on broader historical Kerberos exploits from Kerberoasting and beyond? Share thoughts: Get in touch.
See also: Citigroup’s CFO Mark Mason: Cybersecurity costs are surging
Analysts said of November Patch Tuesday’s 89 new Microsoft CVEs (four rated critical) the two under active exploitation deserve more immediate attention. These are CVE-2024-43451, a CVSS 6.5 NTLM hash disclosure spoofing vulnerability, and CVE-2024-49039, a CVSS 8.8 Windows Task Scheduler Elevation of Privilege (EOP) vulnerability reported by Google TAG and an anonymous researcher; multiple sources of attribution for that suggesting that exploitation may be somewhat widespread already.
As the ZDI put it: “The bug allows an AppContainer escape – allowing a low-privileged user to execute code at Medium integrity. You still need to be able to execute code on the system for this to occur, but container escapes are still quite interesting as they are rarely seen in the wild…”
Satnam Narang of Tenable, noted of CVE-2024-43451 that “to my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024. In February, Microsoft patched CVE-2024-21410 in Microsoft Exchange Server and CVE-2024-38021 in Microsoft Office in July. Both of these flaws were higher in severity (based on CVSS scores) compared to CVE-2024-43451.
See also: Sophos attackers breached intelligence agency, wrote code to survive firewall firmware updates
“Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems…” he added in an emailed comment.
Adam Barnett, a lead software engineer at Rapid7, also pointed to CVE-2024-49019 ; an EOP vulnerability in Active Directory Certificate Services.
He noted: "While the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploits this vulnerability could gain domain admin privileges, so that doesn’t offer much comfort. Unsurprisingly, given the potential prize for attackers, Microsoft assesses future exploitation as more likely. Vulnerable PKI environments are those which include published certificates created using a version 1 certificate template with the source of subject name set to "Supplied in the request" and Enroll permissions granted to a broader set of accounts. Microsoft does not obviously provide any means of determining the certificate template version used to create a certificate, although the advisory does offer recommendations for anyone hoping to secure certificate templates."
Barnett added: "There is a significant history of research and exploitation of Active Directory Certificate Services, including the widely-discussed Certified Pre-Owned series, and the discovering researchers have now added further to that corpus, tagging CVE-2024-49019 as ESC15. In keeping with another long-standing infosec tradition, the researcher has provided a fun celebrity vulnerability name — in this case, EKUwu, a portmanteau of EKU (Extended Key Usage) and UwU, an emoticon representing a cute face — as part of their detailed and insightful write-up."
Seth Hoyt, Senior Security Engineer, Automox, meanwhile flagged CVE 2024-5535 (CVSS 9.1/10) as representing a “significant threat as it affects Microsoft Defender for Endpoint, posing a Remote Code Execution (RCE) risk… An attacker could exploit this by sending a malicious link via email or instant messaging. Once clicked, the attack unfolds without requiring further interaction from you. In addition to immediate patching, it is recommended to enhance your email filters and educate users about the dangers of unsolicited links. Proactive measures and prompt patching are your best defenses against the potential exploitation of this vulnerability.”
As ever, prompt patching where humanly possible can save a world of pain. Bon chance to those pushing patches out to thousands of servers.
In other news, CISA said as well as those two known-exploited Microsoft vulnerabilities, three others are currently being exploited in the wild – including a decade-old Cisco Adaptive Security Appliance (ASA) vulnerability, CVE-2014-2120; CVE-2021-26086, a Atlassian Jira server bug; and CVE-2021-41277, a Metabase GeoJSON API bug.
