Microsoft has released additional details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Center) patched during this month’s Patch Tuesday.
The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).
Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.
Updates needed for mitigation
Microsoft released security updates to address the Kerberos KDC security feature bypass earlier this month, during November 2020’s Patch Tuesday.
However, as Microsoft’s Japan Security Team said, “[a]ddressing this vulnerability requires not only deploying security updates to all DCs (Domain Controllers) and RODCs (Read-Only Domain Controllers) in the forest, but also additional response steps.”
As of November 19, 2020, these are the updates admins can deploy to mitigate the vulnerability on DC and RODC servers on their network.
|Windows Servers||Knowledge Base number|
|Windows Server 2012||4586834 (Monthly Rollup)
4586808 (Security Only)
|Windows Server 2012 R2||4586845 (Monthly Rollup)
4586823 (Security Only)
|Windows Server 2016||4586830|
|Windows Server 2019||4586793|
|Windows Server, version 1903/1909||4586786|
|Windows Server, version 2004 / 20H2||4586781|
Additional steps for full mitigation
To fully mitigate the vulnerability on impacted domain controller servers, Microsoft also recommends taking extra steps before installing the update.
The additional steps require admins to make sure that the PerformTicketSignature setting in the Kdc registry subkey at HKEY_LOCAL_MACHINESystemCurrentControlSetServicesKdc is set to 1 to avoid causing the S4USelf feature of Kerberos to become non-functional when the subkey is set to 0.
The procedure to be followed for the correct deployment of the CVE-2020-17049 security update involves setting the Kdc registry to 1 before installing the actual update to DC servers:
- Locate the Kdc registry subkey, and if it exists on the system, ensure that it is set to 1.
- Complete the deployment to all DCs (and Read-Only DCs) in your forest.
Kerberos authentication issues
However, patching CVE-2020-17049 will cause some domain controllers to potentially encounter Kerberos authentication and Kerberos ticket renewal issues as Microsoft revealed on the Windows Health Dashboard on November 16.
The issue only impacts Windows Servers, Windows 10 devices, and vulnerable applications in enterprise environments.
Experienced problems include authentication issues when using S4U scenarios, cross-realm referrals failures on both Windows and non-Windows devices for Kerberos referral tickets, as well as certain non-compliant Kerberos tickets being rejected, depending on the value of the PerformTicketSignature setting.
More details on potential issues that might be experienced after installing the CVE-2020-17049 security updates can be found here.
Two days later, the company released out-of-band (OOB) updates to address the Kerberos auth issues on all affected Windows Server versions, from Windows Server 2012 up to Windows Server 20H2.
The full list of affected Windows Server versions is available in the table below, together with the updates causing the issue and the optional OOB updates that mitigate the issue.
* Updates released one day later to address the issue on all impacted Windows Server versions.
The update cannot be installed via Windows Update or Microsoft Update channels because it is only available as stand-alone packages distributed through the Microsoft Update Catalog.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.