Microsoft Security Bulletin Release (Out of Band) – Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)

Number: AV14-092
Date: 18 November 2014

Purpose

The purpose of this advisory is to draw attention to the Microsoft Security Bulletin Release (Out of Band) Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780).

Assessment

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.

Affected products:

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

Date modified: