New Kerberos vulnerability (does it affect 2K or NT4?)

[Nomen]

Some details here: http://www.securityfocus.com/bid/70958

----------

Vulnerable:

Microsoft Windows Vista x64 Edition SP2

Microsoft Windows Vista SP2

Microsoft Windows 7 for x64-based Systems SP1

Microsoft Windows 7 for 32-bit Systems SP1

(and other various versions of Windows Server)

-----------

From this: https://technet.microsoft.com/library/security/MS14-068

---------------

What systems are primarily at risk from the vulnerability?

Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.

---------------

So I ask - Can Vista or 7 (any version) act as a domain controller? And be a Kerberos Key distribution Center?

I also ask if NT4 server or 2K server would also have this Kerberos vulnerability... ?

Edited November 20, 2014 by Nomen

[submix8c]

"Primarily at risk"...

See description of Kerberos:

http://technet.microsoft.com/en-us/library/cc780469%28v=ws.10%29.aspx

Also pay attention to the Contents of the Technet link (listed in the KB):

https://support.microsoft.com/kb/3011780

 

For the POSReady the "Kerberos.dll" Version is "5.1.2600.6667" (consider this a Workstation).

Obviously the "Kdcsvc.dll" won't be installed on non-Server Systems. Note the Version#'s for those OS.

I'm not so sure that this can be ported to Win2K Servers/Workstations *or* NT4 Servers/Workstations. Win2K3 versions are 5.2.xxx, for this Fix it's v5.2.3790.5467. **AHHH!** Looking at the first link, it basically says "Nope, not NT4" (also googling indicates that).

 

Also note that Active Directory is a part of this (only applies to Servers). Here's another MS article explaining more.

http://msdn.microsoft.com/en-us/library/bb742516.aspx

 

IOW, it appears that you're really making an issue of Win2k/NT4 for no reason. *UNLESS* the POSReady can be ported to a Win2kPro (ignoring the v5.2 porting necessary for Servers).

http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/#entry1089299

 

Just realize it *appears* to be directly related to Logon to an Active Directory Domain and the Domain Server itself.

[blackwingcat]

It is easy to patch MS14-068.

But it is too difficult  to patch MS11-013.

 

Kerberos Channel Binding Support is too complex for me.

Sorry.

 

I released

MS14-072 / MS14-068(included MS11-013) / MS14-070 / MS14-066 / MS14-067 / MS14-064

for Extended kernel Windows 2000 in this month.

 

 

"Primarily at risk"...

See description of Kerberos:

http://technet.microsoft.com/en-us/library/cc780469%28v=ws.10%29.aspx

Also pay attention to the Contents of the Technet link (listed in the KB):

https://support.microsoft.com/kb/3011780

 

For the POSReady the "Kerberos.dll" Version is "5.1.2600.6667" (consider this a Workstation).

Obviously the "Kdcsvc.dll" won't be installed on non-Server Systems. Note the Version#'s for those OS.

I'm not so sure that this can be ported to Win2K Servers/Workstations *or* NT4 Servers/Workstations. Win2K3 versions are 5.2.xxx, for this Fix it's v5.2.3790.5467. **AHHH!** Looking at the first link, it basically says "Nope, not NT4" (also googling indicates that).

 

Also note that Active Directory is a part of this (only applies to Servers). Here's another MS article explaining more.

http://msdn.microsoft.com/en-us/library/bb742516.aspx

 

IOW, it appears that you're really making an issue of Win2k/NT4 for no reason. *UNLESS* the POSReady can be ported to a Win2kPro (ignoring the v5.2 porting necessary for Servers).

http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/#entry1089299

 

Just realize it *appears* to be directly related to Logon to an Active Directory Domain and the Domain Server itself.

Edited November 21, 2014 by blackwingcat

[Nomen]

Ah - so I wasn't the only one asking this question:

============

Why is Microsoft updating Windows PCs for a security bug on the server?

http://www.computerworld.com/article/2851333/why-is-microsoft-updating-windows-pcs-for-a-security-bug-on-the-server.html

The Kerberos vulnerability is only in Windows Server, but Windows PCs are getting extra security fixes

When Microsoft released a critical update for multiple versions of Windows Server this month, it also pushed out a fix for several releases of the Windows client OS, including even the technical preview for Windows 10.

It was critical to get the patch out for Windows Server: An exploit affecting Windows Server 2008 R2 and earlier versions has already been detected, and Windows Server 2012 and later releases are vulnerable to a related but more difficult attack.

But the vulnerability isn't present in the desktop versions of Windows. In Windows Server, the flaw allows attackers to employ the username and password of anyone in an Active Directory domain to get the same system privileges as a domain administrator, using a forged Privilege Attribute Certificate to fool the Kerberos Domain Controller that manages remote access.

The bulletin for the patch says there's no security impact for the client versions of Windows. So why did Microsoft also release an update for Windows Vista, Windows 7, Windows 8, Windows 8.1 and the Windows 10 Technical Preview?

It's because although they don't have that specific vulnerability, looking into the Windows source code to understand how the Privilege Attribute Certificate could be forged revealed some older code that Microsoft was no longer satisfied with, a representative for the company told us. That could mean other potential attacks, although they declined to give more details.

"The 'hardening' on the client side is the replacement of older code with newer code. In our investigation, although we did not discover a vulnerability on these platforms, we did discover code that needed to be improved in order to meet our current security standards," the representative said.

Although Microsoft hasn't said whether Windows XP also had the problem code, it's likely it does given the age of the code involved. As XP is out of support, only companies that are paying for extended support contracts would get an update for it -- another incentive for anyone still using the older OS to upgrade.

The update applied to the Windows Server Technical Preview as well, but Microsoft said it doesn't list security impact and severity ratings for previews. "As customers know, beta software is not fully supported and we do not want to cause customer confusion," the representative said.

======================

[submix8c]

@Nomen:

You must have missed this part:

"Kerberos.dll" is replaced on Workstations as well as Servers. You already cited the link that said "somewhat" why.

In addition, you apparently disregarded the first link (Technet) I gave. Try looking at that nifty chart.

If you don't want to patch a Workstation, then don't and see what happens.

Otherwise, go argue with MS as to why they did (see your quotes above). We're not privy to MS' secrets.

http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

[blackwingcat]

I tried to patch kdcsvc.dll for Windows 2000.
You can down load from WLU.

 

http://blog.livedoor.jp/blackwingcat/archives/1883150.html
http://blog.livedoor.jp/blackwingcat/archives/1883160.html
Technical information here.