CVE-2020-17049 is a Kerberos security feature bypass vulnerability that has now been weaponized by a proof-of-concept exploit code. The PoC code displays a new attack technique that can enable threat actors to access network-connected services.
Such an attack can have various implications. Systems running the Windows 10 Anniversary Update were protected against two exploits before Microsoft addressed patches’ issues. The new attack has been subbed the Bronze Bit attack and patching it has been quite challenging for Microsoft. An initial fix for the exploit was released last month in the November 2020 Patch Tuesday.
However, some Microsoft customers were having issues with the patch, and a new one had to be issued this month.
Security research Jake Karnes from NetSPI published a technical breakdown of CVE-2020-17049 to help network engineers better understand the vulnerability. The researchers also created a proof-of-concept code together with the technical analysis. The researcher says that the Bronze Bit attack is a new variation of known Golden Ticket and Silver Ticker exploits aimed at the Kerberos authentication. The common element in all the exploits is that they can be leveraged once a threat actor has breached a company’s internal network.
Since the Kerberos authentication protocol has been present in all standard Windows versions since 2000, many systems may be at risk. An attacker who breached at least one system on a network and extracted password hashes can use them to bypass and fabricate credentials for other systems on the same network. The only condition is that the Kerberos protocol is in place.
The Bronze Bit attack differs from the other two in what parts attackers are looking to compromise. In this case, threat actors are after the S4U2self and S4U2proxy protocols added by Microsoft as extensions to the Kerberos protocol. According to Karnes, the S4U2self protocol is used to obtain a service ticket for a targeted user to the compromised service. The service’s password hash is always abused.
“The attack then manipulates this service ticket by ensuring its forwardable flag is set (flipping the “Forwardable” bit to 1). The tampered service ticket is then used in the S4U2proxy protocol to obtain a service ticket for the targeted user to the targeted service,” the researcher explained.
More about the Kerberos protocol
The Windows Active Directory uses the Kerberos protocol to authenticate users, servers, and other resources to each other within a domain. The protocol is based on symmetric key cryptography where each principal has a long-term secret key.
This secret key is only known by the principal themselves and the Key Distribution Center (KDC). In an AD environment, the domain controller performs the role of the KDC. (…) With its knowledge of each principal’s secret key, the KDC facilitates authentication of one principal to another by issuing “tickets.” These tickets contain metadata, authorization information and additional secret keys which can be used with future tickets, Karnes says in his theoretical article.
As already mentioned, Microsoft released several patches in the last couple of months to address the issue. These patches are located in the MSRC dedicated advisory guide. More information from Microsoft is available in this support article.