Skip to main content
MSRC ppDocument Template
Microsoft Security Bulletin MS14-068 - Critical

Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)

Published: November 18, 2014

Version: 1.0

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3011780.

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Affected Software 

Operating System

Maximum Security Impact

Aggregate Severity Rating

Updates Replaced

Windows Server 2003

Windows Server 2003 Service Pack 2
(3011780)

Elevation of Privilege

Critical

2478971 in MS11-013

Windows Server 2003 x64 Edition Service Pack 2
(3011780)

Elevation of Privilege

Critical

2478971 in MS11-013

Windows Server 2003 with SP2 for Itanium-based Systems
(3011780)

Elevation of Privilege

Critical

2478971 in MS11-013

Windows Vista

Windows Vista Service Pack 2
(3011780)

None

No severity rating[1]

None

Windows Vista x64 Edition Service Pack 2
(3011780)

None

No severity rating[1]

None

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
(3011780)

Elevation of Privilege

Critical

977290 in MS10-014

Windows Server 2008 for x64-based Systems Service Pack 2
(3011780)

Elevation of Privilege

Critical

977290 in MS10-014

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3011780)

Elevation of Privilege

Critical

None

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(3011780)

None

No severity rating[1]

2982378 in SA2871997

Windows 7 for x64-based Systems Service Pack 1
(3011780)

None

No severity rating[1]

2982378 in SA2871997

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3011780)

Elevation of Privilege

Critical

2982378 in SA2871997

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3011780)

Elevation of Privilege

Critical

2982378 in SA2871997

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems
(3011780)

None

No severity rating[1]

None

Windows 8 for x64-based Systems
(3011780)

None

No severity rating[1]

None

Windows 8.1 for 32-bit Systems
(3011780)

None

No severity rating[1]

None

Windows 8.1 for x64-based Systems
(3011780)

None

No severity rating[1]

None

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(3011780)

Elevation of Privilege

Critical

None

Windows Server 2012 R2
(3011780)

Elevation of Privilege

Critical

None

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3011780)

Elevation of Privilege

Critical

977290 in MS10-014

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3011780)

Elevation of Privilege

Critical

977290 in MS10-014

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3011780)

Elevation of Privilege

Critical

2982378 in SA2871997

Windows Server 2012 (Server Core installation)
(3011780)

Elevation of Privilege

Critical

None

Windows Server 2012 R2 (Server Core installation)
(3011780)

Elevation of Privilege

Critical

None

Note The update is available for Windows Technical Preview and Windows Server Technical Preview. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.

[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

 

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software

Affected Software

Kerberos Checksum Vulnerability - CVE-2014-6324

Aggregate Severity Rating

Windows Server 2003

Windows Server 2003 Service Pack 2
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2003 x64 Edition Service Pack 2
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2003 with SP2 for Itanium-based Systems
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Vista

Windows Vista Service Pack 2
(3011780)

No severity rating

No severity rating

Windows Vista x64 Edition Service Pack 2
(3011780)

No severity rating

No severity rating

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2008 for x64-based Systems Service Pack 2
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3011780)

Critical 
Elevation of Privilege

Critical

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(3011780)

No severity rating

No severity rating

Windows 7 for x64-based Systems Service Pack 1
(3011780)

No severity rating

No severity rating

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3011780)

Critical 
Elevation of Privilege

Critical

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems
(3011780)

No severity rating

No severity rating

Windows 8 for x64-based Systems
(3011780)

Windows 8.1 for 32-bit Systems
(3011780)

No severity rating

No severity rating

Windows 8.1 for x64-based Systems
(3011780)

No severity rating

No severity rating

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2012 R2
(3011780)

Critical 
Elevation of Privilege

Critical

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2012 (Server Core installation)
(3011780)

Critical 
Elevation of Privilege

Critical

Windows Server 2012 R2 (Server Core installation)
(3011780)

Critical 
Elevation of Privilege

Critical

 

A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. 

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

What might an attacker use the vulnerability to do? 
An attacker could use this vulnerability to elevate an unprivileged domain user account to a domain administrator account. An attacker that successfully exploited this vulnerability could impersonate any user on the domain, including domain administrators, and join any group. By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system.

How could an attacker exploit the vulnerability? 
An authenticated domain user could send the Kerberos KDC a forged Kerberos ticket which claims the user is a domain administrator. Kerberos KDC improperly validates the forged ticket signature when processing requests from the attacker, allowing the attacker to access any resource on the network with the identity of a domain administrator.

What systems are primarily at risk from the vulnerability? 
Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.

For Security Update Deployment information see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

  • V1.0 (November 18, 2014): Bulletin published.

Page generated 2015-01-14 11:40Z-08:00.