CVE-2024-43639: Windows KDC Proxy Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Nov

Released

2024-11-12

Last Updated

2024-11-18

EPSS Score

3.01% (percentile: 86.6%)

FAQ

How could an attacker exploit this vulnerability? An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target. Is KDC Proxy Server service (KPSSVC) a dependency of KKDCP? The vulnerability only exists on the KPSSVC server. We recommend that instances of KPSSVC server be patched immediately. Must KPSSVC be running for KKDCP to be enabled and functional? Yes. Will KPSSVC be started on-demand? No. You are only vulnerable if you are already using KPSSVC in your environment. KPSSVC is an additional feature Microsoft has been providing since Windows Server 2012. If you do not have it configured in your environment, then this vulnerability is not exploitable. Are all Windows Servers affected by this vulnerability? This vulnerability only affects Windows Servers that are configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected.

Affected Products (13)

Windows

• Windows Server 2025
• Windows Server 2025 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (9)

• 5046617
• 5046696
• 5046615
• 5046616
• 5046698
• 5046618
• 5046612
• 5046697
• 5046682

Acknowledgments

Wei in Kunlun Lab with <a href="https://www.cyberkl.com/">Cyber KunLun</a>, <a href="https://twitter.com/keyz3r0">k0shl</a> with <a href="https://www.cyberkl.com/">Kunlun Lab</a>

Revision History

• 2024-11-12: Information published.
• 2024-11-13: Updated the CVE title to better reflect the affected protocol and added an FAQ to explain that only Windows Servers that are configured with the [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol are affected.
• 2024-11-18: Added FAQs to explain the mitigating circumstances for this vulnerability. KPSSVC is an additional feature Microsoft has been providing since Windows Server 2012. If customers do not have it configured in their environment, then this vulnerability is not exploitable. This is an informational change only.