A critical vulnerability in the Windows Kerberos authentication protocol poses a significant risk to millions of servers. Microsoft addressed this issue in last week’s Patch Tuesday updates. Ensure these patches are installed to protect your systems.
Microsoft has released a patch for a critical vulnerability in Microsoft Kerberos, a widely used authentication protocol for verifying host or user identities. This flaw, allows attackers to send crafted requests to vulnerable systems to gain unauthorised access and remote code execution (RCE).
To exploit this flaw, an unauthenticated actor must leverage a cryptographic protocol vulnerability to achieve RCE, Microsoft explained in its Patch Tuesday advisory.
The vulnerability is tracked as CVE-2024-43639 and has a CVSS score of 9.8 (critical severity). If left unpatched, it could lead to drastic consequences for organizations of all sizes, including data theft, system disruption, and even complete system compromise. The vulnerability is particularly concerning due to the widespread use of Windows Server and the ease with which attackers can exploit it.
According to Censys investigation, shared with Hackread.com, there are over two million (2,274,340) exposed Windows Server instances, with 1,211,834 likely to be vulnerable. However, Censys’ research reveals that not all of these instances are vulnerable, as only servers configured with the Kerberos KDC proxy are affected.
“Note that displayed devices are only vulnerable when configured as a Kerberos KDC Proxy Protocol server,” Censys blog post read.
Over half of these devices were found with TCP/443 open, the default port for the KDC Proxy Protocol server, and researchers urge admins to confirm this protocol’s presence on their systems.
For your information, KDC Proxy Protocol Servers allow clients to communicate with KDC servers over HTTPS, using Kerberos protocols like UDP/TCP 88 for Kerberos Authentication Service and Ticket Grating Service exchanges, and TCP 464 for Kerberos password changes. These protocols assume direct, reliable access to the KDC server, usually within the same network or VPN, and are typically used for services like Remote Desktop Gateway and DirectAccess.
Regarding the most impacted regions, Censys noted that 34% of these vulnerable servers are located in the United States, and 11% are associated with Armstrong Enterprise Communications, a managed IT provider.
System administrators should patch all Windows Servers configured as KDC Proxy servers, disable unnecessary KDC Proxy services, and implement additional security measures like network segmentation and firewalls to minimize the risk of a cyberattack.
The urgency of this situation is critical as many servers are vulnerable and attackers constantly exploit these weaknesses. Quick patching and additional security measures can significantly reduce the risk of cyberattacks.
