CVE-2020-16996: Kerberos Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Dec

Released

2020-12-08

Last Updated

2021-03-12

EPSS Score

10.04% (percentile: 93.1%)

FAQ

Does this security fix require any additional steps in order to be protected from this issue? Yes, for guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see Managing deployment of RBCD/Protected User changes for CVE-2020-16996.

Affected Products (12)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server, version 20H2 (Server Core Installation)

ESU

• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (9)

• 5000822
• 5000808
• 4592449
• 5000802
• 5000803
• 5000847
• 5000840
• 5000848
• 5000853

Revision History

• 2020-12-08: Information published.
• 2020-12-09: Corrected Download and Article links in the Security Updates table. This is an informational change only.
• 2021-03-12: Microsoft is announcing the release of the second phase of the Windows security updates to address this vulnerability. March 9, 2021 and superseding Windows updates enable enforcement mode on all Active Directory domain controllers (DCs). These DCs will now be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set, the setting will be honored. Going to Enforcement mode requires that all Active Directory domain controllers have the December 8, 2020 update or a later update installed. Microsoft strongly recommends that customers install the March 9. 2021 updates to be fully protected from this vulnerability. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.