Microsoft has issued security updates to address a Kerberos security feature bypass vulnerability impacting multiple Windows Server versions in a two-phase staged rollout.
The vulnerability tracked as CVE-2020-16996 is exploitable remotely by attackers with low privileges as part of low complexity attacks where user interaction is not required.
Affects Active Directory DCs and RODCs
CVE-2020-16996 exists on Active Directory DCs (Domain Controllers) and RODCs (Read-Only Domain Controllers) only on servers where the Protected Users global security group is available and the Resource-Based Constrained Delegation (RBCD) is enabled.
The vulnerability impacts only Windows server platforms from Windows Server 2012 up to the latest version Windows Server, version 20H2 (Server Core Installation).
Microsoft’s security advisory says that there is no evidence of active exploitation of this security bug in the wild or of publicly available CVE-2020-16996 exploit code.
Kerberos is the default authentication protocol for domain connected devices running Windows 2000 and later and it enables authentication of users, computers, and services so that authorized services and users can securely access resources.
CVE-2020-16996 mitigation
Admins have to take the following measures for full CVE-2020-16996 mitigation to protect their enterprise environment from attacks:
- Update all devices that host the Active Directory domain controller role by installing the December 8, 2020 Windows update or a later Windows update. Be aware that installing the Windows update does not fully mitigate the security vulnerability. You must perform Step 2.
- Enable Enforcement mode on all Active Directory domain controllers. Starting with the February 9, 2021 update, Enforcement mode can be enabled on all Windows domain controllers.
“Mitigation consists of the installation of the Windows updates on all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs), and then enabling Enforcement mode,” Microsoft says.
Additional information on how to deploy these security updates including details on the updates required to be installed before installation, the installation procedure, and potential issues that may arise is available in this advisory.
The security updates addressing this Kerberos security bypass bug are released in two phases:
- The initial deployment phase for Windows updates released on or after December 8, 2020.
- The enforcement phase for Windows updates released on or after February 9, 2021.
Issues with previous Kerberos security bypass bug fixes
Microsoft also fixed a similar vulnerability (tracked as CVE-2020-17049) during November 2020’s Patch Tuesday.
Unlike CVE-2020-16996, that bug was much harder to exploit since it required attackers to have high administrative privileges to successfully exploit it in high complexity attacks.
The CVE-2020-17049 security updates caused Kerberos authentication problems on patched enterprise domain controllers including authentication issues when using S4U scenarios and cross-realm referrals failures on Windows and non-Windows devices for Kerberos referral tickets.
One week after the release of the security updates, Microsoft released out-of-band optional updates to fix the Kerberos authentication issues on all impacted Windows versions.
Microsoft also published patching guidance with additional details on how to fully mitigate the CVE-2020-17049 Kerberos security bug.
To comprehensively address CVE-2020-17049, Microsoft has released new CVE-2020-17048 security updates on December 2020 Patch Tuesday with “fixes for all known issues originally introduced by the November 10, 2020 security updates.”
” Microsoft strongly recommends that customers running any of these versions of Windows Server install the updates and then follow the steps outlined in https://support.microsoft.com/help/4598347 to enable full protection on domain controller servers,” the company adds in an update to the CVE-2020-17049 security advisory.