Unknown
CVE-2020-17049
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-17049
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
Add Assessment
Technical Analysis
Technical analysis and exploit of the vulnerability are now publicly available:
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-overview/
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
Based on https://twitter.com/jakekarnes42/status/1329825159247642624
“The vulnerability impacts constrained delegation, which could be present in a single domain/forest. “
Note that the patch itself requires registry keys to be entered. Merely installing updates does not appear to protect the domain. There are issues introduced by this patch with Citrix and Federated Authentication service. (source https://twitter.com/mrgrayaz/status/1328517824633978912)
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft,
- samba
Products
- samba,
- windows server 2012,
- windows server 2012 r2,
- windows server 2016 -,
- windows server 2016 1903,
- windows server 2016 1909,
- windows server 2016 2004,
- windows server 2016 20h2,
- windows server 2019 -
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: