As if the SSL/TLS vulnerability dubbed MS14-066 last week wasn’t enough, today Microsoft announced an out-of-band patch for a critical Privilege Escalation bug in all Windows Server systems. This time, Kerberos gets patched.
A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.
Microsoft Security Bulletin MS14-068
On the plus-side, it only applies to servers in an Active Directory domain. Standalone Windows Servers shouldn’t be vulnerable to this. But there’s plenty of Domain-controlled Windows servers that do need urgent patching.