Microsoft released a Patch Update MS14-068 related to CVE-2014-068, for an in-the-wild Kerberos exploit. Updates are recommended for Windows domain controllers to mitigate this Kerberos vulnerability.
Microsoft released update MS14-068 to address CVE-2014-6324.
- wmic qfe | find “KB3011780”
- wmic qfe where HotFixID=”KB3011780″
With this vulnerability it is possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator.
At the moment the exploit has not been shared online and metasploit has no exploit as of yet but as many attackers are working on exploits it may only be a matter of time.
The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update.
This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1.
- Domain controllers running Windows Server 2008R2 and below
- Domain controllers running Windows Server 2012 and higher
- All other systems running any version of Windows
Possible to detect signs of exploitation pre-update. Examine event logs on suspected systems using the Event ID.
In this log entry is that the “Security ID” and “Account Name” fields do not match even though they should. In the screenshot above, the user account “nonadmin” used this exploit to elevate privileges to “TESTLAB\Administrator”.