Severity
High
Analysis Summary
The security bug tracked as CVE-2020-17049 can be exploited in Kerberos Bronze Bit attacks. Proof-of-concept exploit code and full details on a Windows Kerberos security bypass vulnerability have been published earlier this week by Jake Karnes who provides a high-level summary of the vulnerability and details on how attackers can exploit it to compromised vulnerable Windows systems. This attack uses the S4U2self and S4U2proxy protocols introduced by Microsoft as extensions to the Kerberos protocol used by Active Directory. The attack uses the S4U2self protocol to obtain a service ticket for a targeted user to the compromised service, using the service’s password hash. The attack then manipulates this service ticket by ensuring its forwardable flag is set (flipping the “Forwardable” bit to 1). The tampered service ticket is then used in the S4U2proxy protocol to obtain a service ticket for the targeted user to the targeted service. With this final service ticket in hand, the attacker can impersonate the targeted user, send requests to the targeted service, and the requests will be processed under the targeted user’s authority.
Impact
- Security Bypass
- Misuse of Authorized Access
Affected Vendors
Microsoft
Affected Products
Windows
Remediation
Immediately patch the vulnerability.