Exploit for Kerberos authentication vulnerability CVE-2020-17049

[German]A security researcher from NetSPI, who discovered the Kerberos authentication vulnerability CVE-2020-17049, has now published the details as well as an exploit. Anyone running an affected environment on Windows Server should react and patch now at the latest.

Kerberos authentication vulnerability CVE-2020-17049

In all Windows Server versions from Windows Server 2008 R2 SP1 up to Windows Server 20H2, the Kerberos authentication vulnerability CVE-2020-17049 exists. Roughly speaking, an attacker can authenticate under certain boundary conditions with an invalid Kerberos service ticket. As of December 8, 2020, Microsoft has released updates to close this Kerberos authentication vulnerability CVE-2020-17049. In addition, the article Managing deployment of Kerberos S4U changes for CVE-2020-17049 was published with guidance on the vulnerability and how to fix it.

Vulnerability disclosure with exploit

Security researcher Jake Karnes from NetSPI had discovered the vulnerability and reported it to Microsoft. Now that a security update for the affected Windows Server versions has been released by Microsoft on December 8, 2020, Karnes goes public.

• In the blog post CVE-2020-17049: Kerberos Bronze Bit Attack – Overview he provides an overview of the vulnerability and how it can be exploited by an attacker.
• In another blog post CVE-2020-17049: Kerberos Bronze Bit Attack – Theory he provides an explanation of the theory and highlights background information.
• And in a third document, titled CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation,  he gives an overview of how an attack could be executed.

With these three articles, he provides enough fodder for this Kerberos authentication vulnerability to be exploited on Windows Server systems acting as Active Directory domain controllers. Microsoft responded the same day with the document Managing deployment of Kerberos S4U changes for CVE-2020-17049 with guidance on the vulnerability and how to fix it. Affected administrators of such an environment should therefore react promptly and install the December 2020 updates as well as take the measures suggested by Microsoft to secure their servers.  (via)