In this article
-
Summary
-
Timing of updates to addressCVE-2022-37967
-
Deployment guidelines
-
Registry Key settings
-
Windows events related to CVE-2022-37967
-
Third-party devices implementing Kerberos protocol
-
Glossary
Summary
The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures.This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.
To help secure your environment, install this Windows update to all devices, including Windows domain controllers.All domain controllers in your domain must be updated first before switching the update to Enforced mode.
To learn more about thisvulnerabilities, seeCVE-2022-37967.
Take Action
To help protect your environment and prevent outages, we recommend that you do the following steps:
-
UPDATEyour Windows domain controllers with a Windowsupdate released on or after November 8, 2022.
-
MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.
-
MONITOR events filed duringAudit mode to secure your environment.
-
ENABLEEnforcement mode to addressCVE-2022-37967in your environment.
Note Step 1 of installing updates released on or after November 8, 2022will NOT address the security issues inCVE-2022-37967 forWindows devices by default. To fully mitigate the security issue for all devices, you must move to Audit mode (described in Step 2) followed by Enforced mode (described in Step 4) as soon as possible on all Windows domain controllers.
Important Starting July 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerableconnections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Audit mode setting. Audit mode will be removed in October 2023, as outlined in theTiming of updates to address Kerberos vulnerabilityCVE-2022-37967 section.
Timing of updates to addressCVE-2022-37967
Updates will be released in phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after April 11, 2023.
The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until theEnforcement phase. This update adds signatures to the Kerberos PAC buffer but does not check for signatures during authentication. Thus, secure mode is disabled by default.
This update:
-
Adds PAC signatures to the Kerberos PAC buffer.
-
Adds measures to address security bypass vulnerability in the Kerberos protocol.
The second deployment phase starts with updates released on December 13, 2022. These and later updates make changes to theKerberos protocol to audit Windows devices by moving Windows domain controllers to Audit mode.
With this update, all devices will be in Audit mode by default:
-
If the signature is either missing or invalid, authentication is allowed.Additionally, an audit log will be created.
-
If the signature is missing, raise an event and allow the authentication.
-
If the signature is present, validate it. If the signature is incorrect, raise an event andallowthe authentication.
The Windows updates released on or after April 11, 2023 will do the following:
-
Remove the ability to disable PAC signature addition by setting the KrbtgtFullPacSignaturesubkey to a value of 0.
The Windows updates released on or after July 11, 2023 will do the following:
-
Removes the ability to set value1for theKrbtgtFullPacSignaturesubkey.
-
Moves the update to Enforcement mode (Default) (KrbtgtFullPacSignature = 3)which can be overridden by an Administrator with an explicit Audit setting.
The Windows updates released on or after October 10, 2023 will do the following:
-
Removes support for the registry subkey KrbtgtFullPacSignature.
-
Removes support for Audit mode.
-
All service tickets without the new PAC signatures will be denied authentication.
Deployment guidelines
To deploy the Windows updates that are dated November 8, 2022 or later Windows updates, follow these steps:
-
UPDATE your Windows domain controllers with an update released on or after November 8, 2022.
-
MOVE your domain controllers to Audit mode byusing the Registry Key settingsection.
-
MONITOR events filed during Audit mode to help secure your environment.
-
ENABLE Enforcement mode to address CVE-2022-37967 in your environment.
STEP 1: UPDATE
Deploy the November 8, 2022 or later updates to all applicable Windows domain controllers (DCs). After deploying theupdate, Windows domain controllers that have been updated will have signatures added to the Kerberos PAC Buffer and will be insecure by default (PAC signature is not validated).
-
While updating, make sure to keep the KrbtgtFullPacSignature registry value in the default state until all Windows domain controllers are updated.
(Video) Kerberos Golden Ticket Attack Explained
STEP 2: MOVE
Once the Windows domain controllers are updated, switch to Audit mode by changing the KrbtgtFullPacSignaturevalue to 2.
STEP 3: FIND/MONITOR
Identify areas that either are missing PAC signatures or have PAC Signatures that fail validation through the Event Logs triggered during Audit mode.
-
Make sure that the domain functional level is set to at least 2008 or greater before moving to Enforcement mode.Moving to Enforcement mode with domains in the 2003 domain functional level may result in authentication failures.
-
Audit events will appear if your domain is not fully updated, or if outstanding previously-issued service tickets still exist in your domain.
-
Continue to monitor for additional event logs filed that indicate either missing PAC signatures or validation failures of existing PAC signatures.
-
After the entire domain is updated and all outstanding tickets have expired, the audit events should no longer appear. Then,you should be able to move to Enforcement mode with no failures.
STEP 4: ENABLE
Enable Enforcement mode to addressCVE-2022-37967in your environment.
-
Once all audit events have been resolved and no longer appear, move your domains to Enforcement modeby updating the KrbtgtFullPacSignature registry value as described in Registry Key settingssection.
-
If a service ticket has invalid PAC signatureor is missing PAC signatures, validation will fail and an error event will be logged.
Registry Key settings
Kerberos protocol
After installing the Windows updates that are dated on or afterNovember 8, 2022,the following registry key is available for the Kerberos protocol:
-
KrbtgtFullPacSignature
This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary, and will no longer be read after the full Enforcement date of October 10, 2023.
Registry key
HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
Value
KrbtgtFullPacSignature
Data type
REG_DWORD
Data
0 – Disabled
1 – New signatures are added, but not verified.(Default setting)
2 -Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.
3 -Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.
Restartrequired?
No
NoteIf you need to change the KrbtgtFullPacSignatureregistry value, manuallyadd and then configure the registry key to override the default value.
Windows events related to CVE-2022-37967
In Audit mode, you may find either of the following errors if PAC Signatures are missing or invalid. If this issue continues during Enforcement mode, these events will be logged as errors.
If you find either error on your device, it is likely that all Windowsdomain controllers in your domain are not up to date with a November 8, 2022 or later Windows update. To mitigate the issues, you will need to investigate your domain further to find Windows domain controllers that are not up to date.
NoteIf you find anerror with Event ID 42, please seeKB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966.
| EventLog | System |
| EventType | Warning |
| EventSource | Kdcsvc |
| EventID | 43 |
| EventText | TheKeyDistributionCenter(KDC)encounteredaticketthatitcouldnotvalidatethe |
| Event log | System |
| Eventtype | Warning |
| EventSource | Kdcsvc |
| EventID | 44 |
| Eventtext | The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more. Client : <realm>/<Name> |
Third-party devices implementing Kerberos protocol
Domains that have third-party domain controllers might see errors in Enforcement mode.
Domains with third-party clients mighttake longer to fully be cleared of audit events following the installation of a November 8, 2022 or later Windows update.
Contact the device manufacturer (OEM) or software vendorto determine if their software is compatible with the latest protocol change.
For information about protocol updates, see the Windows Protocol topic on the Microsoft website.
Glossary
Kerberos is a computer network authentication protocol which works based on “tickets” to allow for nodes communicating over a network to prove their identity to one another in a secure manner.
The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves.KDCsare integrated into thedomain controllerrole. It is a network service that supplies tickets to clients for use in authenticating to services.
Privilege Attribute Certificate (PAC) is a structure that conveys authorization-related information provided by domain controllers (DCs). For more information, see Privilege Attribute Certificate Data Structure.
A special type of ticket that can be used to obtain other tickets. The Ticket-granting Ticket (TGT) is obtained after the initial authentication in the Authentication Service (AS) exchange; thereafter, users do not need to present their credentials, but can use the TGT to obtain subsequent tickets.
FAQs
How do you resolve Kerberos problems? ›
Resolution. To resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests.
How do I check my Kerberos settings? ›- In the administrative console, click Security > Global security.
- From Authentication, click Kerberos configuration.
- Enter your Kerberos service name. ...
- Enter the Kerberos configuration file name or click Browse to locate it. ...
- Optional: Enter the Kerberos keytab file name or click Browse to locate it.
- Install Kerberos KDC server and client. Download and install the krb5 server package. ...
- Modify the /etc/krb5. conf file. ...
- Modify the KDC. conf file. ...
- Assign administrator privileges. ...
- Create a principal. ...
- Create the database. ...
- Start the Kerberos Service.
After the installation is finished, start the KerberosConfigMgr.exe binary by navigating to the installation folder. By default, the location is C:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server.
How do I reset my Kerberos cache? ›Open Microsoft PowerShell and run the command klist purge to clear the Kerberos ticket cache.
Which tool should you use to enable Kerberos security? ›The section Web Services Authentication provides information about the Kerberos authentication in Web services published by Virtual DataPort. To configure the Administration Tool, click the menu Tools > Admin Tool preferences. In this wizard, provide the following details: Select Kerberos authentication.
How do you refresh Kerberos? ›When the ticket expires you can no longer read or write to Kerberos authenticated directories like your home directory or research share. If this happens, you can just run “kinit”. It will prompt you for your password, and you'll get a new ticket valid for the next 9 hours.
Which tool for managing the Kerberos ticket cache? ›kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.
How do I check my Kerberos authentication logs? ›- Start Registry Editor.
- Add the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. ...
- Quit Registry Editor. ...
- You can find any Kerberos-related events in the system log.
The setting Network Security: Configure encryption types allowed for Kerberos is responsible for this. It can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
How to check Kerberos authentication is enabled in Active Directory? ›
Assuming you're auditing logon events, check your security event log and look for 540 events. They will tell you whether a specific authentication was done with Kerberos or NTLM. Save this answer. Show activity on this post.
What ports need to be open for Kerberos? ›Ports 88 and 464 are the standard ports for Kerberos authentication. These ports are configurable. Port 464 is only required for password change operations. Ports 88 and 464 can use either the TCP or UDP protocol depending on the packet size and your Kerberos configuration, see Section 2.2.
Which port is used for Kerberos security authentication? ›Kerberos clients need to send UDP and TCP packets on port 88 and receive replies from the Kerberos servers.
How do I enable Kerberos in my browser? ›- Go to Control Panel and select Internet Options > Advanced.
- On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).
- From the command line, enter the following command: nslookup -type=srv _kerberos._tcp.REALM. ...
- Look up the KDCs for each realm against which users authenticate and the realm of the Authentication Server.
Kerberos is used to authenticate entities requesting access to network resources, especially in large networks to support SSO. The protocol is used by default in many widely used networking systems.
How do I enable Kerberos authentication in Chrome? ›...
Set up Kerberos
- Select Automatically add a Kerberos account.
- Enter the Principal name. ...
- Select Use default Kerberos configuration.
For configurations where single user tickets that are stored in a cache file, by default, Kerberos caches the tickets in the /tmp directory. After a host failover, you cannot access the tickets stored in /tmp on another node. It is recommended that you store tickets in the /nz/data/config/krb5cc_500 file file.
Where is Kerberos credential cache file? ›Kerberos ticket cache file default location and name are C:\Users\windowsuser\krb5cc_windowsuser and mostly tools recognizes it. There are some tools and techniques to generate a ticket cache file.
How do I remove Kerberos from Windows? ›- Navigate to: Windows 7: Start > Control Panel > Programs and Features. Windows XP: Start > Control Panel > Add or Remove Programs.
- Uninstall MIT Kerberos for Windows/Mac/etc.
- Reboot the machine.
- Reboot the machine.
What are the four requirements of Kerberos? ›
- Part I : Secure Authentication using the Java Authentication and Authorization Service (JAAS)
- Part II : Secure Communications using the Java SE Security API.
- Part III : Deploying for Single Sign-On in a Kerberos Environment.
- Part IV : Secure Communications Using Stronger Encryption Algorithms.
Key Distribution Center (KDC): In a Kerberos environment, the authentication server logically separated into three parts: A database (db), the Authentication Server (AS), and the Ticket Granting Server (TGS). These three parts, in turn, exist in a single server called the Key Distribution Center.
How do I turn off Kerberos? ›- Log on to the host on which you want to disable Kerberos authentication.
- Edit ego. conf at EGO_CONFDIR to remove the EGO_AUTH_PLUGIN parameter. When you disable Kerberos, the message-integrity check is also disabled.
- In the search field, enter Kerberos Tickets .
- From the search results, click Kerberos Tickets.
- From the list of Kerberos tickets, select the Kerberos ticket to delete.
- Click Delete.
The Kerberos service is a client-server architecture that provides secure transactions over networks. The service offers strong user authentication, as well as integrity and privacy. Authentication guarantees that the identities of both the sender and the recipient of a network transaction are true.
How do I change my Kerberos ticket cache location? ›Yes it is possible to change the location in the kerberos ticket's stored on the client by modifying the default_cc_name setting in the /etc/opt/quest/vas/vas. conf file. This option defines the location of users' credential caches that are created when they log in or use vastool kinit.
What causes Kerberos pre authentication failed? ›This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
How do you check if a connection is encrypted? ›Look for a lock icon near your browser's location field.
The lock symbol and related URL containing “https” simply mean that the connection between your web browser and the website server is encrypted, which is important.
Kerberos gives you this convenience and security through the use of single sign on, mutual authentication, and secret key encryption. Your Kerberos identity (your principal) and your password allow you to log on just once to access all of the servers, hosts, and other resources that use the Kerberos installation.
What is the difference between LDAP and Kerberos? ›While Kerberos is a ticket-based authentication protocol for trusted hosts on untrusted networks, Lightweight Directory Access Protocol (LDAP) is an authentication protocol for accessing server resources over an internet or intranet.
Is Kerberos in Active Directory? ›
Kerberos is used in Active Directory to provide information about the privileges of each user, however it does not perform authorization. It is the responsibility of each service to determine if the user has access to its resources and Kerberos does not validate which resource or service a user can access.
What ports do I need to change Kerberos password? ›TCP and UDP Port 464 for Kerberos Password Change. TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
What TCP ports does Kerberos use? ›UDP Port 88 for Kerberos authentication UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations. TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
Does Kerberos work with IP address? ›By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address. It will fall back to other enabled authentication protocols like NTLM. However, applications are sometimes hardcoded to use IP addresses which means the application will fall back to NTLM and not use Kerberos.
What is an example of Kerberos? ›Kerberos implementations are used on a number of operating systems and networking systems to verify user accounts. Examples include: Amazon Web Services (AWS) Google Cloud.
What are the weaknesses of Kerberos? ›The primary weakness of Kerberos is that the KDC stores the keys of all principals (clients and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm. The KDC and TGS are also single points of failure: if they go down, no new credentials can be issued.
What OSI layer is Kerberos? ›Kerberos is a trusted third-party authentication application layer service (Layer 7 of the OSI model).
Which browser support Kerberos? ›Google Chrome supports Kerberos authentication. If you configure Internet Explorer, then no additional settings are required for Google Chrome because it uses Internet Explorer settings.
How do I disable Kerberos authentication in Chrome? ›- Navigate through Menu bar to Tools -> Internet Options -> Security.
- Select Local Intranet and Click on "Custom Level" button.
- Scroll to bottom of the window to User Authentication section, select "Prompt for user name and password"
- Click Ok, Apply and Ok to save changes.
Kerberos uses UDP port 88 by default. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades.
What happens when you reset Krbtgt? ›
The password history value for the krbtgt account is 2, meaning it includes the 2 most recent passwords. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another DC will replicate with this DC by using an old password.
What ports are required for Kerberos authentication? ›Ports 88 and 464 are the standard ports for Kerberos authentication. These ports are configurable. Port 464 is only required for password change operations. Ports 88 and 464 can use either the TCP or UDP protocol depending on the packet size and your Kerberos configuration, see Section 2.2.
What are the 3 main parts of Kerberos? ›The key components in a Kerberos system are the Key Distribution Center (KDC), the Authentication Service, and the Ticket Granting Service.
What are the threats on Kerberos protocol? ›Attackers once getting local admin access to a computer may dump credentials and then use the dumped NTLM hashes to forge a session key (silver ticket), then pass them to Kerberos and get access to more resources or impersonate other users hence increasing their foothold and privileges in the network.
How do I check my Kerberos ticket? ›How to check and delete Kerberos tickets: To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session.
Is Kerberos enabled by default? ›Kerberos Authentication requires some specific configuration on the Active Directory server and Oracle VDI hosts prior to setting up the user directory in the Oracle VDI Manager. Kerberos authentication must be enabled in Active Directory. It should already be enabled as the default.
Does Active Directory use LDAP or Kerberos? ›Active Directory (AD) supports both Kerberos and LDAP – Microsoft AD is by far the most common directory services system in use today. AD provides Single-SignOn (SSO) and works well in the office and over VPN.
What causes Kerberos pre authentication failures? ›This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
How do I change my default Kerberos lifetime ticket? ›Select Edit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding.
How do I restart Kerberos service Windows? ›- In a character-based interface, enter call QP2TERM at the command line. ...
- At the command line, enter export PATH=$PATH:/usr/krb5/sbin . ...
- At the command line, enter stop. ...
- At the command line, enter start.