Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Microsoft Releases Out-of-Band Update for Kerberos Authentication Issues

Microsoft last week released an out-of-band update for Windows to address authentication issues related to a recently patched Kerberos vulnerability.

Microsoft last week released an out-of-band update for Windows to address authentication issues related to a recently patched Kerberos vulnerability.

The issue is related to the PerformTicketSignature registry subkey value in CVE-2020-17049, a security feature bypass bug in Kerberos Key Distribution Center (KDC) that Microsoft fixed on November 2020 Patch Tuesday.

CVE-2020-17049, the tech company explains in an advisory, resides in the manner in which KDC determines whether tickets are eligible for delegation via Kerberos Constrained Delegation (KCD).

“To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD,” Microsoft notes.

Last week, the company revealed that it identified a series of issues that could occur on writable and read-only domain controllers (DC), namely tickets not being renewed for non-Windows Kerberos clients and S4UProxy delegation failing when PerformTicketSignature is set to 1 (the default), and services failing for all clients when PerformTicketSignature is set to 0.

“An out-of-band optional update is now available on the Microsoft Update Catalog to address a known issue affecting Kerberos authentication. As part of this issue, ticket renewal and other tasks, such as scheduled tasks and clustering, might fail. This issue only affects Windows Servers, and Windows 10 devices and applications in enterprise environments,” Microsoft explains.

The company recommends that only impacted organizations install the out-of-band update on their domain controllers. Furthermore, Microsoft warns that there are some issues that enterprises should be aware of when installing the update, related to the Microsoft Input Method Editor (IME) for Japanese or Chinese languages.

In a post last week, Microsoft Japan provided a series of recommendations on the steps that admins should take to address such issues, in addition to deploying the update to all of the DCs and RODCs (Read-Only Domain Controllers) in the environment.

Related: Microsoft Patches Windows Vulnerability Chained in Attacks With Chrome Bug

Related: Microsoft Unveils ‘Pluton’ Security Processor for PCs

Related: Microsoft, MITRE Release Adversarial Machine Learning Threat Matrix

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...