Microsoft has issued an out-of-band patch that was delayed from last Tuesday’s scheduled round of updates and fixes a critical flaw in Kerberos Key Distribution Center (KDC) which could allow users with minimal log-in rights to pretend to be a domain admin.
Elevation of privilege vulnerabilities like this are rarely marked as critical but this one – 2014-6324 – is already “being exploited in-the-wild in limited, targeted attacks,” Microsoft said in an update.
Redmond continued in a blog post:
“The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a ‘defense in depth’ update but are not vulnerable to this issue.”
Writing on the Sophos Naked Security blog, APAC head of technology, Paul Ducklin, urged administrators to heed Microsoft’s advice no matter what version of Windows they’re running.
“Patching ‘just in case’ is a bit like encrypting everything, even files that aren't confidential, on the grounds that then you don't have to worry whether you left anything out,” he said. “We say, ‘Do it today!’."
Chris Goettl, product manager at Shavlik, agreed that all administrators should include this one in their patch cycles “ASAP” as attackers could technically forge a Kerberos Ticket and send it to the Kerberos KDC, which would recognize them as a domain administrator.
“From there the attacker can impersonate any domain accounts, add themselves to any group, install programs, view\change\delete date, or create any new accounts they wish,” he said.
“This could allow the attacker to then compromise any computer in the domain, including domain controllers. If there is a silver lining in this one it is in the fact that the attacker must have a valid domain user account to exploit the vulnerability, but once they have done so, they have the keys to the kingdom.”