Microsoft Released an Out-of-Band Update for Windows to Address Authentication Issues

MICROSOFT

In order to fix authentication problems relating to a newly patched Kerberos flaw, Microsoft issued an out-of-band update for Windows last week.

The problem is linked to the subkey value of the Perform Ticket Signature register in CVE-2020-17049, a bypass security function flaw in Kerberos Key Distribution Center (KDC) patched by Microsoft on November 2020 Patch Tuesday.

CVE-2020-17049, clarified in an advisory by the tech firm, exists in the way in which KDC decides whether tickets through Kerberos Constrained Delegation (KCD) are eligible for delegation.

A compromised server designed to use KCD could leverage a service ticket that is not legitimate for delegation to compel the KDC to allow it in order to exploit the vulnerability. The upgrade fixes this vulnerability by modifying how Microsoft states that the KDC validates service tickets used for KCD.

Last week the company disclosed that a variety of problems could arise on writable and read-only domain controllers (DC), including tickets that are not renewed for non-Windows Kerberos clients and S4UProxy delegation fail when PerformTicketSignature is set to 1 (default), and services fail when PerformTicketSignature is set to 0.0 for all clients.

To fix a documented problem concerning Kerberos authentication, an optional out-of-band upgrade is now available on the Microsoft Update List. Ticket renewal and other tasks, such as scheduled tasks and clustering, may fail as part of this problem. Microsoft states that this phenomenon only concerns Windows Servers and Windows 10 computers and apps in business environments.

The business advises that only affected organisations instal their domain controllers with the out-of-band update. In addition, Microsoft advises that after downloading the update, there are several problems that businesses should be aware of about the Microsoft Input System Editor (IME) for Japanese or Chinese languages.

In a post last week in addition to applying the upgrade to all of the DCs and RODCs (Read-Only Domain Controllers) in the environment, Microsoft Japan issued a set of guidelines on the steps administrators could take to resolve certain issues.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.