In Microsoft’s November Patch Tuesday update last week, one advisory that had originally been scheduled to be included was not. That advisory, MS14-068, is now out in an emergency out-of-band patch update for a critical vulnerability in the Windows Kerberos authentication mechanism.
The vulnerability has been identified as CVE-2014-6324, and, according to Microsoft’s advisory, an attacker could potentially exploit the Kerberos vulnerability to elevate unprivileged domain user account privileges to those of the domain administrator account.
“An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers,” Microsoft warned. “When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.”
The MS14-068 patch was included in Microsoft’s initial advance notification for the November patch haul but was pulled after Microsoft discovered some issues with the patch.
“We continued to work on this bulletin, and released it once ready,” a Microsoft spokesperson told eWEEK. “We remain focused on minimizing potential customer disruptions with our releases.”
Darien Kindlund, director of threat intelligence at FireEye, told eWEEK that so far his organization has not seen any exploitation of the CVE-2014-6324 vulnerability. That said, Kindlund noted that the issue is very severe.
“This exploit allows an attacker to effectively own an entire enterprise Active Directory domain and gain full control over an entire network, making lateral movement trivial to accomplish for any threat actor,” Kindlund said.
The CVE-2014-6324 vulnerability seems pretty nasty, but it does require that an attacker already have some form of authenticated access before being able to attempt to elevate credentials, Ross Barrett, senior manager of security engineering at Rapid7, said. “While this does seem bad, if an attacker has already authenticated in most networks, it’s really only a matter of time until they can steal elevated credentials through one vector or another,” Barrett told eWEEK.
Wolfgang Kandek, CTO at Qualys, told eWEEK that the Kerberos bug is indeed critical in its worst case, but that will vary from organization to organization. What makes the bug controllable is the fact that the attacker needs a working account on the domain controller in question, he said.
“I believe most organizations that have limited accessibility for their domain controllers and strong account termination policies should be able to test the patch thoroughly,” Kandek said.
If an organization has, in fact, been breached by this vulnerability, simply patching the issue is likely not enough to fix the entire problem.
Alberto G. Solino, technical program manager at Core Security, told eWEEK that, according to the bulletin, having access as any regular domain user will give the attacker domain administrator access back, when exploiting this vulnerability. It also looks like the reliability of exploiting this vulnerability is high, he added.
“The worst part I’d say is what Microsoft recommends as remediation,” Solino said.
According to a Microsoft blog post, “The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain.”
A complete domain rebuild is unrealistic in most scenarios, Solino said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.