Microsoft released a patch to correct the notorious security vulnerability described in the CVE-2016-3237 Advisory. The company’s security announcements bulletin MS16-101 contains information about the exploit. The main problem is found in the Kerberos security feature bypass described in the CVE Advisory. It allows criminals to execute man-in-the-middle attacks against target hosts and to bypass the Kerberos server authentication. The fault has been found in the NTLM fallback authentication session during a domain account password change. This type of vulnerability is also known as a “Kerberos Elevation of Privilege Vulnerability” or “The Malicious Butler Attack.” Microsoft has provided fixes for other serious issues as well.
The Kerberos vulnerability affects a variety of different products including:
- Microsoft Windows Vista SP2
- Microsoft Windows Server 2008 SP2
- Microsoft Windows Server 2008 R1 SP1
- Microsoft Windows 8.1
- Microsoft Server 2012 Gold
- Microsoft Server 2012 R2
- Microsoft Windows 8.1 RT
- Microsoft Windows 10 Gold
- Microsoft Windows 10 Build 1511
- Microsoft Windows 10 Build 1607
This is a Kerberos man-in-the-middle attack was originally reported in November 2015 by the security researcher Ian Haken and demonstrated in CVE-2015-6095. The Kerberos authentication mishandled password changes, a security issue that allows physically proximate attackers to bypass the security features. They can execute decryption attacks against certain BitLocker configuration schemes by connecting to an unintended Kerberos Key Distribution Center (KdC). Microsoft issued a fix to the vulnerability, but security researchers Nabeel Ahmed, and Tom Gilis proved that it provided an incomplete solution to the problem.
At the last annual Black Hat presentation last week Chaim Hoch and Tal Be’ery from Microsoft presented a method that could launch a remote attack utilizing the CVE-2015-6095 mechanism. This attack gained fame as the “Remote Malicious Butler”.
The CVE-2015-6095 required a malicious user to create a rogue domain controller using the same domain name as the target host. The next step was to create an username with a password expiration policy to trigger the exploit mechanism. The criminal must then connect to the target machine and login with the victim username.
Using the expiration policy a password change which prompts the remote system into creating a cached credentials file. Using this method the malicious user can utilize this information to log in to the domain controller.
Microsoft initially countered this measure by adding authentication check in February. After that, another security issue was identified which allowed criminals access by other means – using a simple network disconnect bug.
In the latest Microsoft bulletin, the security features bypass, and the elevation privilege issues are finally amended.