fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Microsoft Releases Patching Guidance For Kerberos Security Bug

Microsoft Releases Patching Guidance For Kerberos Security Bug

Microsoft has released additional details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Center) patched during this month’s Patch Tuesday.

The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).

Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

Updates needed for mitigation

Microsoft released security updates to address the Kerberos KDC security feature bypass earlier this month, during November 2020’s Patch Tuesday.

However, as Microsoft’s Japan Security Team said, “[a]ddressing this vulnerability requires not only deploying security updates to all DCs (Domain Controllers) and RODCs (Read-Only Domain Controllers) in the forest, but also additional response steps.”

As of November 19, 2020, these are the updates admins can deploy to mitigate the vulnerability on DC and RODC servers on their network.

Windows ServersKnowledge Base number
Windows Server 20124586834 (Monthly Rollup)
4586808 (Security Only)
Windows Server 2012 R24586845 (Monthly Rollup)
4586823 (Security Only)
Windows Server 20164586830
Windows Server 20194586793
Windows Server, version 1903/19094586786
Windows Server, version 2004 / 20H24586781

Additional steps for full mitigation

To fully mitigate the vulnerability on impacted domain controller servers, Microsoft also recommends taking extra steps before installing the update.

The additional steps require admins to make sure that the PerformTicketSignature setting in the Kdc registry subkey at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc is set to 1 to avoid causing the S4USelf feature of Kerberos to become non-functional when the subkey is set to 0.

The procedure to be followed for the correct deployment of the CVE-2020-17049 security update involves setting the Kdc registry to 1 before installing the actual update to DC servers:

  1. Locate the Kdc registry subkey, and if it exists on the system, ensure that it is set to 1.
  2. Complete the deployment to all DCs (and Read-Only DCs) in your forest.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Kerberos authentication issues

However, patching CVE-2020-17049 will cause some domain controllers to potentially encounter Kerberos authentication and Kerberos ticket renewal issues as Microsoft revealed on the Windows Health Dashboard on November 16.

The issue only impacts Windows Servers, Windows 10 devices, and vulnerable applications in enterprise environments.

Experienced problems include authentication issues when using S4U scenarios, cross-realm referrals failures on both Windows and non-Windows devices for Kerberos referral tickets, as well as certain non-compliant Kerberos tickets being rejected, depending on the value of the PerformTicketSignature setting.

More details on potential issues that might be experienced after installing the CVE-2020-17049 security updates can be found here.

Two days later, the company released out-of-band (OOB) updates to address the Kerberos auth issues on all affected Windows Server versions, from Windows Server 2012 up to Windows Server 20H2.

The full list of affected Windows Server versions is available in the table below, together with the updates causing the issue and the optional OOB updates that mitigate the issue.

Affected platforms
ServerOriginating updateOOB optional update
Windows Server, version 20H2KB4586781KB4594440*
Windows Server, version 2004KB4586781KB4594440*
Windows Server, version 1909KB4586786KB4594443*
Windows Server, version 1903KB4586786KB4594443*
Windows Server, version 1809KB4586793KB4594442
Windows Server, version 1607KB4586830KB4594441*
Windows Server 2019KB4586793KB4594442
Windows Server 2016KB4586830KB4594441*
Windows Server 2012 R2KB4586845KB4594439
Windows Server 2012KB4586834KB4594438

* Updates released one day later to address the issue on all impacted Windows Server versions.

The update cannot be installed via Windows Update or Microsoft Update channels because it is only available as stand-alone packages distributed through the Microsoft Update Catalog.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us