Two vulnerabilities in Kerberos implementation in Microsoft Windows
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-8563 CVE-2017-8495 |
| CWE-ID | CWE-287 CWE-264 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper authentication
EUVDB-ID: #VU7453
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8563
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. A remote attacker can send specially crafted requests to domain controller and trigger the fall back to less secure authentication protocol.
Successful exploitation of the vulnerability may allow an attacker to perform a MitM attack, intercept network traffic and gain access to users’ credentials.
MitigationInstall updates from vendor's website.
Note: To make LDAP authentication over SSL/TLS more secure, administrators need to create a LdapEnforceChannelBinding registry setting on a Domain Controller. For more information about setting this registry key, see Microsoft Knowledge Base article 4034879.
Windows: 7 - 10
Windows Server: 2008 - 2016
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8563
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU7466
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8495
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists when Kerberos fails to prevent tampering with the SNAME field during
ticket exchange. An attacker who successfully exploited this
vulnerability could use it to bypass Extended Protection for
Authentication.
Install updates from vendor's website.
Vulnerable software versionsWindows: 7 - 10
Windows Server: 2008 - 2016
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
