CVE-2020-17049: Kerberos KDC Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 6.6)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Nov

Released

2020-11-10

Last Updated

2021-07-13

EPSS Score

26.70% (percentile: 96.3%)

Description

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.

FAQ

Do I need to take further steps to be protected from this vulnerability? Yes. As of April 13, 2021, customers who have already installed the November 10, 2020 security updates need to do the following: This update assumes that all Domain Controllers are updated with the December 8, 2020 updates or later updates. The December 8, 2020 security updates include fixes for all known issues originally introduced by the November 10, 2020 release of CVE-2020-17049. This update also adds support for Windows Server 2008 SP2 and Windows Server 2008 R2. Install the updates released on April 13, 2021. These updates remove the PerformTicketSignature setting 0. Setting PerformTicketSignature to 0 after this update is installed will have the same effect as setting PerformTicketSignature to 1. The Domain Controllers (DC)s will be in Deployment mode. For more information and further steps to enable full protection on domain controller servers see Managing deployment of Kerberos S4U changes for CVE-2020-17049.

Affected Products (18)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server, version 20H2 (Server Core Installation)

ESU

• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (13)

• 5004244
• 5001337
• 4592449
• 5004237
• 5004238
• 5004305
• 5004299
• 5004289
• 5004307
• 5004294
• 5004302
• 5004298
• 5004285

Acknowledgments

Jake Karnes of <a href="https://www.netspi.com">NetSPI</a>

Revision History

• 2020-11-10: Information published.
• 2020-11-12: Added an Executive Summary and updated the FAQs to further clarify the information for this CVE. This is an informational change only.
• 2020-11-13: To address a known issue with the Kdc registry subkey settings, Microsoft has revised the guidance for deploying this update. Please see the FAQ section for updated information.
• 2020-11-19: Added information to the FAQ regarding a non-security update to address a known issue for Domain Controllers (DC) Servers.
• 2020-12-08: To comprehensively address CVE-2020-17049, Microsoft has released the following: December 2020 Security Updates for all affected Windows 10 servers, Windows Server 2012 R2, and Windows Server 2012; December 2020 Monthly Rollup updates and Security Only updates for all affected versions of Windows Server 2008 R2 and Windows Server 2008. These updates include fixes for all known issues originally introduced by the November 10, 2020 security updates for CVE-2020-17049. Microsoft strongly recommends that customers running any of these versions of Windows Server install the updates and then follow the steps outlined in https://support.microsoft.com/help/4598347 to enable full protection on domain controller servers.
• 2020-12-08: In the Security Updates table, corrected the Download and Article links for all affected Windows 10 servers, Windows Server 2012 R2, and Windows Server 2012 R2. Note that the December 2020 Security Updates supercede the security updates released on November 10, 2020 and the updates released between November 17, 2020 and November 19, 2020 to address this vulnerability.
• 2021-04-13: Microsoft is releasing security updates for the second deployment phase for this vulnerability. These updates remove the PerformTicketSignature setting 0. Setting PerformTicketSignature to 0 after this update is installed will have the same effect as setting PerformTicketSignature to 1. The Domain Controllers (DC)s will be in Deployment mode. See the FAQ section of this CVE and KB4598347 for more information.
• 2021-07-13: Microsoft is releasing security updates to deploy the enforcement phase for this vulnerability. Active Directory domain controllers are now capable of Enforcement mode. Going to Enforcement mode requires that all Active Directory domain controllers have the December 8, 2020 update or a later Windows update installed. At this time, the PerformTicketSignature registry key settings will be ignored and Enforcement mode cannot be overridden. See the FAQ section of this CVE and KB4598347 for more information.