Microsoft Security Bulletin MS14-068 - Critical
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
Published: November 18, 2014
Version: 1.0
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
For more information about this update, see Microsoft Knowledge Base Article 3011780.
Affected Software
The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Affected Software
| Operating System | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Windows Server 2003 | |||
| Windows Server 2003 Service Pack 2 (3011780) | Elevation of Privilege | Critical | 2478971 in MS11-013 |
| Windows Server 2003 x64 Edition Service Pack 2 (3011780) | Elevation of Privilege | Critical | 2478971 in MS11-013 |
| Windows Server 2003 with SP2 for Itanium-based Systems (3011780) | Elevation of Privilege | Critical | 2478971 in MS11-013 |
| Windows Vista | |||
| Windows Vista Service Pack 2 (3011780) | None | No severity rating[1] | None |
| Windows Vista x64 Edition Service Pack 2 (3011780) | None | No severity rating[1] | None |
| Windows Server 2008 | |||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (3011780) | Elevation of Privilege | Critical | 977290 in MS10-014 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (3011780) | Elevation of Privilege | Critical | 977290 in MS10-014 |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 (3011780) | Elevation of Privilege | Critical | None |
| Windows 7 | |||
| Windows 7 for 32-bit Systems Service Pack 1 (3011780) | None | No severity rating[1] | 2982378 in SA2871997 |
| Windows 7 for x64-based Systems Service Pack 1 (3011780) | None | No severity rating[1] | 2982378 in SA2871997 |
| Windows Server 2008 R2 | |||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3011780) | Elevation of Privilege | Critical | 2982378 in SA2871997 |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3011780) | Elevation of Privilege | Critical | 2982378 in SA2871997 |
| Windows 8 and Windows 8.1 | |||
| Windows 8 for 32-bit Systems (3011780) | None | No severity rating[1] | None |
| Windows 8 for x64-based Systems (3011780) | None | No severity rating[1] | None |
| Windows 8.1 for 32-bit Systems (3011780) | None | No severity rating[1] | None |
| Windows 8.1 for x64-based Systems (3011780) | None | No severity rating[1] | None |
| Windows Server 2012 and Windows Server 2012 R2 | |||
| Windows Server 2012 (3011780) | Elevation of Privilege | Critical | None |
| Windows Server 2012 R2 (3011780) | Elevation of Privilege | Critical | None |
| Server Core installation option | |||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3011780) | Elevation of Privilege | Critical | 977290 in MS10-014 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3011780) | Elevation of Privilege | Critical | 977290 in MS10-014 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3011780) | Elevation of Privilege | Critical | 2982378 in SA2871997 |
| Windows Server 2012 (Server Core installation) (3011780) | Elevation of Privilege | Critical | None |
| Windows Server 2012 R2 (Server Core installation) (3011780) | Elevation of Privilege | Critical | None |
Note The update is available for Windows Technical Preview and Windows Server Technical Preview. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.
[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.
| Vulnerability Severity Rating and Maximum Security Impact by Affected Software | ||
|---|---|---|
| Affected Software | Kerberos Checksum Vulnerability - CVE-2014-6324 | Aggregate Severity Rating |
| Windows Server 2003 | ||
| Windows Server 2003 Service Pack 2 (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2003 x64 Edition Service Pack 2 (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2003 with SP2 for Itanium-based Systems (3011780) | Critical Elevation of Privilege | Critical |
| Windows Vista | ||
| Windows Vista Service Pack 2 (3011780) | No severity rating | No severity rating |
| Windows Vista x64 Edition Service Pack 2 (3011780) | No severity rating | No severity rating |
| Windows Server 2008 | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2008 for x64-based Systems Service Pack 2 (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 (3011780) | Critical Elevation of Privilege | Critical |
| Windows 7 | ||
| Windows 7 for 32-bit Systems Service Pack 1 (3011780) | No severity rating | No severity rating |
| Windows 7 for x64-based Systems Service Pack 1 (3011780) | No severity rating | No severity rating |
| Windows Server 2008 R2 | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3011780) | Critical Elevation of Privilege | Critical |
| Windows 8 and Windows 8.1 | ||
| Windows 8 for 32-bit Systems (3011780) | No severity rating | No severity rating |
| Windows 8 for x64-based Systems (3011780) | ||
| Windows 8.1 for 32-bit Systems (3011780) | No severity rating | No severity rating |
| Windows 8.1 for x64-based Systems (3011780) | No severity rating | No severity rating |
| Windows Server 2012 and Windows Server 2012 R2 | ||
| Windows Server 2012 (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2012 R2 (3011780) | Critical Elevation of Privilege | Critical |
| Server Core installation option | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2012 (Server Core installation) (3011780) | Critical Elevation of Privilege | Critical |
| Windows Server 2012 R2 (Server Core installation) (3011780) | Critical Elevation of Privilege | Critical |
Kerberos Checksum Vulnerability - CVE-2014-6324
A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.
Mitigating Factors
The following mitigating factors may be helpful in your situation:
- An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
FAQ
What might an attacker use the vulnerability to do?
An attacker could use this vulnerability to elevate an unprivileged domain user account to a domain administrator account. An attacker that successfully exploited this vulnerability could impersonate any user on the domain, including domain administrators, and join any group. By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system.
How could an attacker exploit the vulnerability?
An authenticated domain user could send the Kerberos KDC a forged Kerberos ticket which claims the user is a domain administrator. Kerberos KDC improperly validates the forged ticket signature when processing requests from the attacker, allowing the attacker to access any resource on the network with the identity of a domain administrator.
What systems are primarily at risk from the vulnerability?
Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.
Security Update Deployment
For Security Update Deployment information see the Microsoft Knowledge Base article referenced in the Executive Summary.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (November 18, 2014): Bulletin published.
Page generated 2015-01-14 11:40Z-08:00.