Microsoft Security Bulletin MS14-068 - Critical

Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)

Published: November 18, 2014

Version: 1.0

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3011780.

Affected Software

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Affected Software 

**Operating System** **Maximum Security Impact** **Aggregate Severity Rating** **Updates Replaced**
**Windows Server 2003**
[Windows Server 2003 Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=c7d1dcfa-8ddc-4ddf-b5e2-1cba27248c04) (3011780) Elevation of Privilege Critical 2478971 in [MS11-013](http://go.microsoft.com/fwlink/?linkid=208523)
[Windows Server 2003 x64 Edition Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=c1a4e5eb-a4dd-48a9-9e1d-3c4d59927b1d) (3011780) Elevation of Privilege Critical 2478971 in [MS11-013](http://go.microsoft.com/fwlink/?linkid=208523)
[Windows Server 2003 with SP2 for Itanium-based Systems](https://www.microsoft.com/download/details.aspx?familyid=aeb32c73-b60e-4c13-ad18-91ceff8a709d) (3011780) Elevation of Privilege Critical 2478971 in [MS11-013](http://go.microsoft.com/fwlink/?linkid=208523)
**Windows Vista**
[Windows Vista Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=8fff386a-7240-466e-81c7-d16402e45d68) (3011780) None No severity rating[1] None
[Windows Vista x64 Edition Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=a68503ed-60ea-4eda-9472-66507747fc33) (3011780) None No severity rating[1] None
**Windows Server 2008**
[Windows Server 2008 for 32-bit Systems Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=e9f596c3-8e54-43e6-833e-40ba1ba1a237) (3011780) Elevation of Privilege Critical 977290 in [MS10-014](http://go.microsoft.com/fwlink/?linkid=181196)
[Windows Server 2008 for x64-based Systems Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=946432d6-4fa8-4d86-9d8e-f45855534603) (3011780) Elevation of Privilege Critical 977290 in [MS10-014](http://go.microsoft.com/fwlink/?linkid=181196)
[Windows Server 2008 for Itanium-based Systems Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=3281a4dd-0f54-4846-8eeb-71ae4dcb1375) (3011780) Elevation of Privilege Critical None
**Windows 7**
[Windows 7 for 32-bit Systems Service Pack 1](https://www.microsoft.com/download/details.aspx?familyid=545cd268-2f52-4da3-a145-dc242f3505b2) (3011780) None No severity rating[1] 2982378 in [SA2871997](http://technet.microsoft.com/library/2871997.aspx)
[Windows 7 for x64-based Systems Service Pack 1](https://www.microsoft.com/download/details.aspx?familyid=86972a2d-8243-446b-a6d8-577705ce8bd3) (3011780) None No severity rating[1] 2982378 in [SA2871997](http://technet.microsoft.com/library/2871997.aspx)
**Windows Server 2008 R2**
[Windows Server 2008 R2 for x64-based Systems Service Pack 1](https://www.microsoft.com/download/details.aspx?familyid=67c76c2d-d9df-47fd-804a-730b289e9ba0) (3011780) Elevation of Privilege Critical 2982378 in [SA2871997](http://technet.microsoft.com/library/2871997.aspx)
[Windows Server 2008 R2 for Itanium-based Systems Service Pack 1](https://www.microsoft.com/download/details.aspx?familyid=51718d79-2a17-4aff-82ef-7f8e7bbdd080) (3011780) Elevation of Privilege Critical 2982378 in [SA2871997](http://technet.microsoft.com/library/2871997.aspx)
**Windows 8 and Windows 8.1**
[Windows 8 for 32-bit Systems](https://www.microsoft.com/download/details.aspx?familyid=61fcecc8-cda6-4da1-8a54-6207ee047dfa) (3011780) None No severity rating[1] None
[Windows 8 for x64-based Systems](https://www.microsoft.com/download/details.aspx?familyid=a3fecf88-d08a-429f-b1c3-f2f8fabe79e6) (3011780) None No severity rating[1] None
[Windows 8.1 for 32-bit Systems](https://www.microsoft.com/download/details.aspx?familyid=cc675a6e-7eb2-4f9d-9a91-b17f93c5398d) (3011780) None No severity rating[1] None
[Windows 8.1 for x64-based Systems](https://www.microsoft.com/download/details.aspx?familyid=0c76a0b5-ef02-48fb-9af5-3d1f65240d2d) (3011780) None No severity rating[1] None
**Windows Server 2012 and Windows Server 2012 R2**
[Windows Server 2012](https://www.microsoft.com/download/details.aspx?familyid=e35fb776-30ad-4fc9-9918-1f27fca45c9d) (3011780) Elevation of Privilege Critical None
[Windows Server 2012 R2](https://www.microsoft.com/download/details.aspx?familyid=02400d4e-4c9e-41e8-9f89-2568420db900) (3011780) Elevation of Privilege Critical None
**Server Core installation option**
[Windows Server 2008 for 32-bit Systems Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=e9f596c3-8e54-43e6-833e-40ba1ba1a237) (Server Core installation) (3011780) Elevation of Privilege Critical 977290 in [MS10-014](http://go.microsoft.com/fwlink/?linkid=181196)
[Windows Server 2008 for x64-based Systems Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=946432d6-4fa8-4d86-9d8e-f45855534603) (Server Core installation) (3011780) Elevation of Privilege Critical 977290 in [MS10-014](http://go.microsoft.com/fwlink/?linkid=181196)
[Windows Server 2008 R2 for x64-based Systems Service Pack 1](https://www.microsoft.com/download/details.aspx?familyid=67c76c2d-d9df-47fd-804a-730b289e9ba0) (Server Core installation) (3011780) Elevation of Privilege Critical 2982378 in [SA2871997](http://technet.microsoft.com/library/2871997.aspx)
[Windows Server 2012](https://www.microsoft.com/download/details.aspx?familyid=e35fb776-30ad-4fc9-9918-1f27fca45c9d) (Server Core installation) (3011780) Elevation of Privilege Critical None
[Windows Server 2012 R2](https://www.microsoft.com/download/details.aspx?familyid=02400d4e-4c9e-41e8-9f89-2568420db900) (Server Core installation) (3011780) Elevation of Privilege Critical None
**Note** The update is available for Windows Technical Preview and Windows Server Technical Preview. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.

[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

 

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.

**Vulnerability Severity Rating and Maximum Security Impact by Affected Software**
**Affected Software** [**Kerberos Checksum Vulnerability - CVE-2014-6324**](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6324) **Aggregate Severity Rating**
**Windows Server 2003**
Windows Server 2003 Service Pack 2 (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2003 x64 Edition Service Pack 2 (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2003 with SP2 for Itanium-based Systems (3011780) **Critical**  Elevation of Privilege **Critical**
**Windows Vista**
Windows Vista Service Pack 2 (3011780) No severity rating No severity rating
Windows Vista x64 Edition Service Pack 2 (3011780) No severity rating No severity rating
**Windows Server 2008**
Windows Server 2008 for 32-bit Systems Service Pack 2 (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2008 for x64-based Systems Service Pack 2 (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2008 for Itanium-based Systems Service Pack 2 (3011780) **Critical**  Elevation of Privilege **Critical**
**Windows 7**
Windows 7 for 32-bit Systems Service Pack 1 (3011780) No severity rating No severity rating
Windows 7 for x64-based Systems Service Pack 1 (3011780) No severity rating No severity rating
**Windows Server 2008 R2**
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3011780) **Critical**  Elevation of Privilege **Critical**
**Windows 8 and Windows 8.1**
Windows 8 for 32-bit Systems (3011780) No severity rating No severity rating
Windows 8 for x64-based Systems (3011780)
Windows 8.1 for 32-bit Systems (3011780) No severity rating No severity rating
Windows 8.1 for x64-based Systems (3011780) No severity rating No severity rating
**Windows Server 2012 and Windows Server 2012 R2**
Windows Server 2012 (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2012 R2 (3011780) **Critical**  Elevation of Privilege **Critical**
**Server Core installation option**
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2012 (Server Core installation) (3011780) **Critical**  Elevation of Privilege **Critical**
Windows Server 2012 R2 (Server Core installation) (3011780) **Critical**  Elevation of Privilege **Critical**
 

Kerberos Checksum Vulnerability - CVE-2014-6324

A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. 

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

What might an attacker use the vulnerability to do?
An attacker could use this vulnerability to elevate an unprivileged domain user account to a domain administrator account. An attacker that successfully exploited this vulnerability could impersonate any user on the domain, including domain administrators, and join any group. By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system.

How could an attacker exploit the vulnerability?
An authenticated domain user could send the Kerberos KDC a forged Kerberos ticket which claims the user is a domain administrator. Kerberos KDC improperly validates the forged ticket signature when processing requests from the attacker, allowing the attacker to access any resource on the network with the identity of a domain administrator.

What systems are primarily at risk from the vulnerability?
Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.

Security Update Deployment

For Security Update Deployment information see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (November 18, 2014): Bulletin published.

Page generated 2015-01-14 11:40Z-08:00.