Microsoft patches new Windows Kerberos vulnerability CVE-2020-16996 with Dec 2020 updates

[German]With the December 2020 updates, Microsoft is making another attempt to use a layered approach to address the new Kerberos vulnerability CVE-2020-16996 in Active Directory Domain Controllers (DCs). This is stated in a support article published on December 8, 2020.


The CVE-2020-16996 vulnerability

The (newly discovered) vulnerability CVE-2020-16996 potentially affects Active Directory domain controllers (AD DC) when using protected users and resource-based delegation (RBCD). Information on the CVE-2020-16996 vulnerability is scarce. The vulnerability in the Kerberos authentication process allows attackers with low privileges to launch a remote code attack on the network infrastructure of these environments. Microsoft has not yet observed any attacks, but states that the complexity to exploit is low. 

Support article outlines mitigation

On patchday, December 8, 2020, Microsoft has included a fix for this vulnerability in the security updates for the various Windows versions without explicitly stating this (see the following links to the patchday). But a support post KB4577252 (Managing the deployment of RBCD/protected user changes for CVE-2020-16996) published on December 8, 2020, addresses the issue. There Microsoft specifically provides the following instructions to close the vulnerability and secure the Active Directory DC environment:

  • Update all devices that host the Active Directory domain controller role by installing the Windows update of December 8, 2020 or later. Note that installing Windows Update does not fully mitigate the vulnerability. You must perform step 2.
  • Enable enforcement mode on all Active Directory domain controllers. Starting with the update from February 9, 2021, Enforcement Mode can be enabled on all Windows domain controllers.

Thus, the initial deployment phase of the patch to close the CVE-2020-16996 vulnerability begins with the Windows updates released on December 8, 2020. Starting February 9, 2021, the so-called enforcement phase will be rolled out by another Windows update. These and later Windows updates make changes to Kerberos.

Microsoft gives detailed instructions in support article KB4577252 on how administrators of affected systems should proceed and what to consider. Pay particular attention to the notes on possible authentication problems that may occur if updates and adjustments to the registry are inconsistent. We already had this case with the November 2020 updates (see link list, e.g. Windows-Updates with Fix for Kerberos-Authentication-Problem (11/19/2020)). (via)

Similar articles:
Patchday: Windows 10-Updates (December 8, 2020)
Patchday: Updates for Windows 7/Server 2008 R2 (12/08/2020)
Patchday: Windows 8.1/Server 2012-Updates (12/08/2020)
Windows-Updates with Fix for Kerberos-Authentication-Problem (11/19/2020)


Cookies helps to fund this blog: Cookie settings


This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *