Kerberos authentication protocol can be bypassed using a new attack technique with a proof-of-concept exploit code. Read on to know more…
Kerberos, a computer-network authentication protocol, can be bypassed using a new attack technique revealed with a proof-of-concept exploit code. The technique, dubbed Bronze Bit attack, exploits the CVE-2020-17049 vulnerability. This attack technique is a variation of the older Golden Ticket and Silver Ticket attacks.
Using this technique, after compromising a network, an attacker can extract password hashes to bypass and forge credentials for other systems on the same network, as long as the network uses the Kerberos authentication protocol. The Kerberos computer-network authentication protocol has been included in all official Windows versions since 2000.
The attack targets S4U2self protocol to get a service ticket for a targeted user to the compromised service. After obtaining the service ticket, the attacker manipulates this service ticket by making sure that its “Forwardable” bit is set to 1. The attack is possible because the Forwardable flag is not signed and the Kerberos process can not detect the tampered tickets.
This Bronze Bit attack can bypass two existing protections for Kerberos delegation. In addition, this attack technique provides an opportunity for imitation, privilege escalation, and lastly lateral movement. This attack is named Bronze Bit instead of Bronze Ticket as it relies on flipping only a single bit. The exploit has been developed as an extension of the Impacket framework offered by SecureAuth.
Working Mechanism
As explained by Karnes, the Kerberos Bronze Bit attack abuses the S4U2self and S4U2proxy protocols Microsoft added as Active Directory Kerberos protocol extensions. The S4U2self protocol is used in the attack to obtain the service ticket of the targeted user, a ticket later manipulated “by ensuring its forwardable flag is set (flipping the “Forwardable” bit to 1).”
“The tampered service ticket is then used in the S4U2proxy protocol to obtain a service ticket for the targeted user to the targeted service,” Karnes says. “With this final service ticket in hand, the attacker can impersonate the targeted user, send requests to the targeted service, and the requests will be processed under the targeted user’s authority.”
The CVE-2020-17049 exploit is designed to bypass Kerberos delegation protection allowing attackers to escalate privileges, impersonate targeted users, and move laterally on compromised environments. “Because this is accomplished by flipping a single bit, and in the spirit of the Golden Ticket and Silver Ticket attacks, I’ve dubbed this the Bronze Bit attack,” Karnes added.
Mitigation
A week after the CVE-2020-17049 security updates were issued, Microsoft also released out-of-band optional updates to fix the Kerberos authentication issues on all impacted Windows devices. Microsoft also published patching guidance the same week, with additional info on how to fully mitigate Bronze Bit.
To fully address CVE-2020-17049, Microsoft has now released additional security updates on December 2020 Patch Tuesday that provide “fixes for all known issues originally introduced by the November 10, 2020 security updates.”
Conclusion
The disclosure and public availability of such a proof-of-concept exploit magnifies the risk across sensitive network-connected services. Thus, experts suggest applying December 8, 2020 updates released by Microsoft that fix all known issues related to CVE-2020-17049. In addition, users are recommended to frequently update their operating system and other critical applications.