Windows Kerberos Bug Fixed in November Out-of-Band Update

Windows Kerberos Bug Fixed in November Out-of-Band Update

Kerberos Authentication Bug

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).  The update known as CVE-2020-17049  addresses this vulnerability by changing how the KDC validates service tickets used with KCD.

Once deployment of the patch has been made, the following manual steps are then available to fully resolve the vulnerability:

Post-Patch Action

Registry subkey HKEY_LOCAL_MACHINESystemCurrentControlSetServicesKdc

Reboot required: No

Value: PerformTicketSignature

Data type: REG_DWORD

  • 0 – This disables ticket signatures and your domains are not protected. Important Do not use this setting until further notice. There is a known issue that could cause the S4USelf feature of Kerberos to become non-functional.
  • 1 – The fix is enabled on the domain controller but the DC does not require that tickets conform to the fix.
  • 2 – This enables the fix in required mode where all domains must be patched and all DCs require tickets with signatures.

Microsoft does not recommend using the 0 setting due to known issues with the S4USelf feature of Kerberos.

How does this patch affect third-party Kerberos clients?

When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs.

Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry set to 1, third-party clients will no longer receive renewable tickets.

Customers using Syxsense Manage or Syxsense Secure will be able to find this patch by searching for CVE-2020-17049.

Experience the Power of Syxsense

Start a trial of Syxsense, which helps organizations from 100 to 100,000 endpoints secure and manage their environment, all from just a web browser.