renew
April 10, 2023: Updated the "Third Deployment Phase" in the "Update Timing to Address CVE-2022-37967" section from April 11, 2023 to June 13, 2023.
in the text
-
summarize
-
Update time for address CVE-2022-37967
-
Deployment Guide
-
Registry key settings
-
Windows incidents related to CVE-2022-37967
-
Third-party devices that implement the Kerberos protocol
-
Glossary
summarize
The November 8, 2022, update for Windows addresses security bypass and elevation of privilege vulnerabilities through privileged attribute certificate (PAC) signing.
To help protect your environment, install this Windows update on all devices, including Windows domain controllers. All domain controllers in the domain must be updated before switching updates to enforcing mode.
To learn more about these vulnerabilities, seeCVE-2022-37967.
Take action
To help protect your environment and prevent outages, we recommend that you take the following steps:
-
renewUpdate your Windows domain controllers with Windows Updates released on or after November 8, 2022.
-
moverYour Windows domain controller usesRegistry key settingspart.
-
monitorArchive events in audit mode to protect your environment.
-
enableHow the address is executedCVE-2022-37967in your environment.
observeStep 1 of installing updates released on or after November 8, 2022 will not resolveCVE-2022-37967Applies to Windows devices by default. To fully mitigate security concerns on all devices, you should switch to audit mode (described in step 2) and then to enforcing mode (described in step 4) as soon as possible on all Windows domain controllers.
importantEnforcement mode will be enabled on all Windows domain controllers starting July 2023 and will block vulnerable connections from unsupported devices. At this point, you won't be able to disable updates, but you can switch back to the audit mode setting. Moderation mode will be removed in October 2023, as described inUpdate time to address the KerberosCVE-2022-37967 vulnerabilitypart.
Update time for address CVE-2022-37967
Updates will be rolled out in stages: an initial phase for updates released on or after November 8, 2022, and an apply phase for updates released on or after June 13, 2023.
The initial rollout phase begins with the update released on November 8, 2022, and continues updating Windows through the apply phase. This update adds the signature to the Kerberos PAC buffer, but does not verify the signature during authentication. Therefore, safe mode is disabled by default.
This update:
-
Add the PAC signature to the Kerberos PAC buffer.
-
Added measures to address a security bypass vulnerability in the Kerberos protocol.
The second phase of the rollout begins with the update released on December 13, 2022. These updates and later updates change the Kerberos protocol for auditing WindowsequipmentMove Windows domain controllers into audit mode.
With this update, everyoneequipmentBy default it will be in audit mode:
-
Authentication is allowed if the signature is missing or invalid. Additionally, an audit log will be created.
-
If signature is missing, create an event andallowcertified.
-
If a signature exists, verify it. If the signature is incorrect, create an event andallowcertified.
Windows Updates released on or after June 13, 2023 will do the following:
-
by settingKrbtgtFullPacAssinaturachild of value0.
Windows Updates released on or after July 11, 2023 will do the following:
-
Ability to delete set values1forKrbtgtFullPacAssinaturaun i.
-
Move updates to application (default) mode (KrbtgtFullPacAssinatura= 3)Administrators can override this with explicit audit settings.
Windows Updates released on or after October 10, 2023 will do the following:
-
Remove support for registry subkeysKrbtgtFullPacAssinatura.
-
Remove support for audit mode.
-
All service tickets not signed by the new PAC will be rejected for authentication.
Deployment Guide
To deploy a Windows update dated November 8, 2022 or a later Windows update, follow these steps:
-
renewRelease updated Windows domain controllers on or after November 8, 2022.
-
moverYour domain controller usesRegistry key settingspart.
-
monitorEvents archived in audit mode help protect your environment.
-
enableHow the address is executedCVE-2022-37967in your environment.
Step 1: Update
Deploy the November 8, 2022 or later update to all applicable Windows domain controllers (DCs). After the update is deployed, the updated Windows domain controllers will add a signature in the Kerberos PAC cache and by default will be insecure (PAC signatures are not verified).
-
During the upgrade process, be sure to keep theKrbtgtFullPacAssinaturaThe registry value is in the default state until all Windows domain controllers are updated.
Step 2: Move
After a Windows domain controller update, by changing theKrbtgtFullPacAssinaturavalue2.
Step 3: Locate/Monitor
Identify areas where PAC signatures are missing or cannot be verified through the event log triggered during audit mode.
-
make suredomain functional levelSet to at least 2008 or later before switching to enforcing mode. Moving domains at the 2003 domain functional level to enforcement mode may cause authentication failures.
-
Audit events can occur if your domain is not up to date, or if you still have outstanding service tickets issued previously on your domain.
-
Continue to monitor other archived event logs indicating missing PAC signatures or failures of verification of existing PAC signatures.
-
Once the entire domain has been updated and all pending tickets have expired, audit events should no longer occur. You should then be able to switch to enforcing mode without trouble.
Step 4: Activate
Activate Address Request ModeCVE-2022-37967in your environment.
-
Once all audit events are resolved and no longer occur, refresh theKrbtgtFullPacAssinaturaThe registry value described inRegistry key settingspart.
-
If the service ticket has an invalid PAC signature or is missing a PAC signature, validation will fail and an Error event will be logged.
Registry key settings
Kerberos protocol
After installing Windows Updates on or after November 8, 2022, the following registry key is available for the Kerberos protocol:
-
KrbtgtFullPacAssinatura
This registry key is used to prevent the deployment of Kerberos changes. This registration key is temporary and will no longer be read after the full application date of October 10, 2023.
registry key
HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
courage
KrbtgtFullPacAssinatura
type of data
REG_DWORD
data
0- disabled
1– A new signature is added but not verified. (default setting)
2- Audit mode. If present, a new signature is added and verified. If the signature is missing or invalid, authentication is allowed and an audit log is created.
3- Execution mode. If present, a new signature is added and verified. If the signature is missing or invalid, authentication will be rejected and an audit log will be created.
Is a reboot required?
No
observeIf you need to changeKrbtgtFullPacAssinaturaRegistry values, manually add and configure registry keys to override default values.
Windows incidents related to CVE-2022-37967
In audit mode, you may encounter one of the following errors if the PAC signature is missing or invalid. If the problem persists in application mode, these events will be logged as errors.
If you're experiencing any errors on your device, it's likely that none of the Windows domain controllers in your domain have been updated with Windows Update on or after November 8, 2022. To mitigate these issues, you need to dig deeper into your domain to find Windows domain controllers that are not up to date.
observeIf you encounter an event ID 42 error, seeKB5021131: How to manage Kerberos protocol changes related to CVE-2022-37966.
| event log | system |
| event type | Notice |
| event source | Microsoft-Windows-Kerberos-Key Distribution Center |
| Event ID | 43 |
| event text | KeyDistributionCenter(KDC) encountered unauthenticated |
| event registration | system |
| event type | Notice |
| event source | Microsoft-Windows-Kerberos-Key Distribution Center |
| Event ID | 44 |
| event text | The Key Distribution Center (KDC) found a ticket that did not contain a full PAC signature. See https://go.microsoft.com/fwlink/?linkid=2210019 for more information. client: |
Third-party devices that implement the Kerberos protocol
Domains with third-party domain controllers may see application mode errors.
Domains with third-party clients may take longer to fully clear audit events after installing Windows Updates on or after November 8, 2022.
Please contact the equipment manufacturer (OEM) or software vendor to determine if their software supports the latest protocol changes.
For information on protocol updates, seewindows protocolTopics on the Microsoft website.
Glossary
Kerberos is a computer network authentication protocol that works on the basis of "tickets" that allow nodes to communicate on a network to securely prove their identities to each other.
A Kerberos service that implements the authentication and ticket-granting services specified in the Kerberos protocol. The service runs on computers selected by the realm or domain administrator; it does not exist on all machines on the network. He must have access to the account database for the domain he serves.KDCsis integrated indomain controllerPaper. It is a web service that provides tickets to clients for authentication services.
A privileged attribute certificate (PAC) is a framework for communicating authorization-related information provided by a domain controller (DC). For more information, seeAuthority attribute certificate data structure.
A special type of ticket that can be used to obtain other tickets. Ticket Granting Ticket (TGT) is obtained after initial authentication with a central authentication service (AS); after that, users do not need to present credentials and can use TGT to obtain subsequent tickets.
FAQs
How to manage the Kerberos protocol changes related to CVE 2022 37967? ›
- UPDATE your Windows domain controllers with an update released on or after November 8, 2022.
- MOVE your domain controllers to Audit mode by using the Registry Key setting section.
- MONITOR events filed during Audit mode to help secure your environment.
CVE-2022-37967 is an elevation of privilege vulnerability affecting Windows Kerberos that received an initial Phase 1 fix during November's Patch Tuesday, but requires additional mitigations as advised by Microsoft to address the security issue caused by CVE-2022-37967.
How to check if Kerberos authentication is enabled in Windows? ›- Open a normal Command Prompt (not an administrator Command Prompt) in the context of the user trying to access the website.
- Run the klist purge command.
- Run the klist get http/iisserver.contoso.com command as follows: Console Copy.
Open Active Directory Users and Computers. Search for the service account which was used to create the Service Principal Name (SPN). Navigate to the Delegation tab. Select Trust this user for delegation to any service (Kerberos only).
Where is Kerberos configuration manager? ›By default, this application is installed under %SystemDrive%:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server.
How do you resolve Kerberos problems? ›To resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests.
What is CVE 2022 22787? ›Description. The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10. 0 fails to properly validate the hostname during a server switch request.
What is CVE 2022 20822 or CVE 2022 20959? ›CVE-2022-20822 is a path traversal vulnerability in the web – based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. CVE-2022-20959 is a cross-site scripting vulnerability in Cisco ISE's External RESTful Services API.
What is CVE 2022 29900 and CVE 2022 29901? ›Retbleed (CVEs CVE-2022-29900/CVE-2022-23816 and CVE-2022-29901) is a new speculative execution attack which takes advantage of microarchitectural behavior in many modern microprocessors, similar to Spectre v2.
How can I tell if my server is using Kerberos authentication? ›The easiest way to determine if Kerberos authentication is being used is by logging into a test workstation and navigating to the web site in question. If the user isn't prompted for credentials and the site is rendered correctly, you can assume Integrated Windows authentication is working.
Is Windows authentication the same as Kerberos? ›
Kerberos support is built in to all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux. Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service.
How do I check my Kerberos policy? ›These policy settings are located in \Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
How to configure Kerberos authentication in Windows? ›- Create a standard krb5. ini file and place it in the C:\Windows directory.
- Ensure that the KDC and Admin server specified in the krb5.ini file can be resolved from your terminal. If necessary, you can modify the following: C:\Windows\System32\drivers\etc\hosts.
While Kerberos is a ticket-based authentication protocol for trusted hosts on untrusted networks, Lightweight Directory Access Protocol (LDAP) is an authentication protocol for accessing server resources over an internet or intranet.
How to configure Kerberos in Windows server? ›- Open Control Panel.
- Click System and Security, and then click System > Advanced system settings.
- In the System Properties dialog box, click the Computer Name tab and click Change.
- In the Member of section, select Domain, and type the name of the domain to which you want to add this computer, and then click OK.
On the Kerberos server, the service key is stored in the Kerberos database. On the server host, these service keys are stored in key tables , which are files known as keytabs . For example, the service keys used by services that run as root are usually stored in the keytab file /etc/krb5. keytab .
Where are Kerberos credentials stored? ›The credential cache file holds Kerberos protocol credentials (for example, tickets, session keys, and other identifying information) in semipermanent storage. The Kerberos protocol reads credentials from the cache as they are required and stores new credentials in the cache as they are obtained.
Where is Kerberos database stored? ›The KDC needs it to start, and if you lose it, your realm database is useless and you will need to recreate it from scratch, including all user accounts. kdb5_util stores the database in the files /var/kerberos/krb5kdc/principal* and stores the database master key in /var/kerberos/krb5kdc/.
How do I clear the cache in Kerberos? ›Open Microsoft PowerShell and run the command klist purge to clear the Kerberos ticket cache. See image. After clearing the Kerberos ticket cache, open https://www.zscaler.com/. In Windows PowerShell, run the command klist.
What is the reason for Kerberos authentication failure? ›This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
What ports does Kerberos use? ›
Ports 88 and 464 are the standard ports for Kerberos authentication. These ports are configurable. Port 464 is only required for password change operations. Ports 88 and 464 can use either the TCP or UDP protocol depending on the packet size and your Kerberos configuration, see Section 2.2.
What is CVE 2022 37972? ›An attacker could exploit this vulnerability to obtain sensitive information.. For a complete description of the vulnerabilities and affected systems go to Microsoft Endpoint Configuration Manager Spoofing Vulnerability CVE-2022-37972.
What is CVE 2022 22973 score? ›Local Privilege Escalation Vulnerability (CVE-2022-22973) VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
What is CVE 2022 37958 code? ›What is CVE-2022-37958? CVE-2022-37958 is a remote code execution (RCE) vulnerability in the SPNEGO NEGOEX protocol of Windows operating systems, which supports authentication in applications.
What is CVE 2022 22950? ›Vmware Spring: CVE-2022-22950: Spring Expression DoS Vulnerability.
What is CVE 2022 41040 or CVE 2022 41082? ›CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability. CVE-2022-41082 allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.
What is CVE 2022 27510 score? ›The most notable vulnerability, CVE-2022-27510, is rated a critical 9.8 for “appliances that are operating as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy),” per Citrix's advisory, and allows for remote, unauthenticated attackers to take control of a vulnerable system.
What is CVE 2022 30525 score? ›Tracked as CVE-2022-30525 with a CVSS score of 9.8 (critical), this vulnerability allows an attacker to run arbitrary commands on the device without authentication.
What is CVE 2022 22965 vulnerability? ›A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.
How many CVE are there in 2022? ›| Year | 2023 | 2022 |
|---|---|---|
| Count | 9,126 | 34,553 |
How do I know if my Kerberos or NTLM is used? ›
If you need to identify what is being used at this moment the only way to recognize this is from the logs at log level 4. Once Kerberos authentication is enabled in EasySSO settings - the server and the browser will start exchanging "Negotiate" headers.
What are the three servers used in Kerberos? ›Three sub-protocols Kerberos uses are the Authentication Service Exchange, the Ticket-Granting Service Exchange, and the Client/Server Exchange.
Which version of Kerberos is currently used by Windows? ›Feature description. The Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication, transporting authorization data, and delegation.
Does Windows use Kerberos by default? ›Kerberos authentication is currently the default authorization technology used by Microsoft Windows, and implementations of Kerberos exist in Apple OS, FreeBSD, UNIX, and Linux.
Is Kerberos still used in Windows? ›Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late '80s, Kerberos is now the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.
What is my Kerberos username? ›Kerberos encryption
In most configurations, the salt is the user's username.
For security, Kerberos tickets expire pretty frequently — every 9 hours. When the ticket expires you can no longer read or write to Kerberos authenticated directories like your home directory or research share. If this happens, you can just run “kinit”.
Is Kerberos port TCP or UDP? ›Kerberos is primarily a UDP protocol, although it falls back to TCP for large Kerberos tickets. This may require special configuration on firewalls to allow the UDP response from the Kerberos server (KDC). Kerberos clients need to send UDP and TCP packets on port 88 and receive replies from the Kerberos servers.
Does Kerberos use TLS? ›The FTP server can be enabled to support both TLS and Kerberos. You can customize the FTP client for TLS, but a better way to implement TLS security is by using AT-TLS. The FTP client can be enabled to use either TLS or Kerberos, but not both at the same time.
Is Kerberos same as SSL? ›While SSL uses public-key encryption. Kerberos is not patented; therefore, it provides free services and is open-source software. SSL is patented; hence, it does not provide free services. Kerberos is executed in Microsoft products like Windows 2000, Windows XP, and so on.
How do I update Kerberos? ›
To update a Slave KDC, you must stop the old server processes on the Slave KDC, install the new server binaries, reload the most recent slave dump file, and re-start the server processes.
How do I change Kerberos encryption type? ›The setting Network Security: Configure encryption types allowed for Kerberos is responsible for this. It can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
What are the vulnerabilities in Kerberos authentication? ›Still, the Kerberos authentication process is not without potential issues. In particular, the protocol is vulnerable to Kerberoasting, Golden Ticket and Silver Ticket attacks, and pass-the-ticket attacks.
How to configure Kerberos constrained delegation? ›- Add an SPN to the service account.
- Configure the delegation.
- Create and bind the SSL certificate for web enrollment.
- Configure the Web Enrollment front-end server to use the service account.
- Optional step: Configure a name to use for connections.
- Create a standard krb5. ini file and place it in the C:\Windows directory.
- Ensure that the KDC and Admin server specified in the krb5.ini file can be resolved from your terminal. If necessary, you can modify the following: C:\Windows\System32\drivers\etc\hosts.
When the ticket expires you can no longer read or write to Kerberos authenticated directories like your home directory or research share. If this happens, you can just run “kinit”. It will prompt you for your password, and you'll get a new ticket valid for the next 9 hours.
How do I enable Kerberos AES encryption support? ›Expand Security Settings > Local Policies > Security Options. Locate Network Security: Configure encryption types allowed for Kerberos.
What is the default encryption for Kerberos? ›Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption.
What encryption does Kerberos use? ›Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities.
What 4 requirements were defined by Kerberos? ›- Secure – no masquerading.
- Reliable – distributed server architecture.
- Transparent – user unaware authentication is taking place.
- Scalable – support large number of clients and servers.
What is the disadvantage of Kerberos protocol? ›
- Password guessing attacks − Password guessing attacks are not solved by Kerberos. ...
- KDC spoofing − This define an attack which based essentially on the capability to spoof KDC responses.
Kerberos prevents replay attacks using two main mechanisms: timestamps and session keys. Timestamps are used to ensure that the messages or tickets are fresh and not reused.
How do I trust a user for delegation in Kerberos? ›In "Active Directory Users and Computers" in the console tree, click Users. Right-click the user who has to be trusted for delegation, and click Properties. Click the Delegation tab and click "Trust this user for delegation to any service (Kerberos only)".
What is the difference between constrained and unconstrained delegation in Kerberos? ›Unconstrained delegation: Any service can be abused if one of their delegation entries is sensitive. Constrained delegation: Constrained entities can be abused if one of their delegation entries is sensitive.
What is Kerberos delegation and its types? ›Full delegation is the initial implementation of Kerberos delegation. In this delegation method, a client forwards its Ticket Granting Ticket (TGT) to a service after Kerberos authentication. The service uses the TGT to get service tickets to access any other service in the network.