In this article
-
resume
-
Recognition of explicitly specified encryption types for session keys
-
registry key settings
-
Windows events related to CVE-2022-37966
-
Frequently Asked Questions (FAQs) and Known Issues
-
glossary
resume
Windows updates on November 8, 2022 and later fix the security bypass and authentication negotiation elevation of privilege vulnerability using weak RC4-HMAC negotiation.
This update sets AES as the default encryption type for session keys in accounts that are not already marked with a default encryption type.
To protect your environment, install the Windows 8 November 2022 Update or a later Windows Update on all devices, including domain controllers.
For more information about these vulnerabilities, seeCVE-2022-37966.
Recognition of explicitly specified encryption types for session keys
You may have explicitly defined encryption types for your user accounts that are vulnerableCVE-2022-37966🇧🇷 Look for accounts that have DES/RC4 explicitly enabled but not AES using the following Active Directory query:
-
Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"
registry key settings
After installing Windows Updates after November 8, 2022, the following registry key will be available for the Kerberos protocol:
DefaultDomainSupportedEncTypes
| Register key | HKEY_LOCAL_MACHINE\Sistema\CurrentControlSet\servicios\KDC |
| Wert | DefaultDomainSupportedEncTypes |
| type of data | REG_DWORD |
| data value | 0x27 (default) |
| Reboot required? | no |
UseIf you need to change the default supported encryption type for an Active Directory user or computer, manually add and set the registry key to define the new supported encryption type.
For information about the supported encryption types that you can configure manually, seeSupported cipher type bit pointers🇧🇷 For more information, seeWhat should you do first to prepare your environment to avoid Kerberos authentication issues?.
Windows events related to CVE-2022-37966
Kerberos Key Distribution Center does not have secure keys for the account
| event registration | System |
| event type | Error |
| event source | KdcsvcNombre |
| event identification | 42 |
| EventText | The Kerberos Key Distribution Center does not have strong keys for the account:account designation🇧🇷 You must update the password for this account to prevent the use of weak encryption. For more information, see https://go.microsoft.com/fwlink/?linkid=2210019. |
If you encounter this error, you may need to reset your krbtgt password. For more information, seeNuevo-KrbtgtKeys.ps1Thread on the GitHub website.
Frequently Asked Questions (FAQs) and Known Issues
Accounts marked for explicit use of RC4 may be vulnerable. Additionally, environments that do not have AES session keys in the krbgt account may be vulnerable. To fix this issue, follow the guide on how to identify vulnerabilities and use theRegistry key settingsSection for updating explicitly defined encryption standards.
You must ensure that all your devices have a common Kerberos encryption type. For more information about Kerberos encryption types, seeDecrypt selection of supported Kerberos encryption types.
Environments without a common Kerberos encryption type may have previously worked due to the automatic addition of RC4 or the addition of AES when the domain controller's group policies disabled RC4. This behavior has changed with the updates released from November 8, 2022 and will now strictly follow what is stated in the registry keys.encryption types supported by msdsmiDefaultDomainSupportedEncTypes.
If the account does not haveencryption types supported by msdsis established or established0, the default for domain controllers is0x27(39) or the domain controller uses the setting in the registry keyDefaultDomainSupportedEncTypes.
If the account hasencryption types supported by msdsis configured, this setting will be honored and may reveal a bug that configured a shared Kerberos encryption type that was masked by the previous behavior of automatically adding RC4 or AES, which occurred after installing updates that occurred on or after May 8, 2018 of that date. November 2022 is no longer the case.
For information on how to verify that you have a common Kerberos encryption type, see the questionHow can I verify that all my devices have a common Kerberos encryption type?
Watch thePrevious questionLearn more about why your devices may not have a common Kerberos encryption type after installing updates released on or after November 8, 2022.
If you have already installed updates released on or after November 8, 2022, you can detect devices that do not share a common Kerberos encryption type by looking in the Microsoft-Windows-Kerberos-Key-Distribution-Center-Event 27 event log that identifies the encryption between Kerberos clients and remote servers or services.
Installing updates released after November 8, 2022 on domain controller role servers or clients should not affect Kerberos authentication in your environment.
To resolve this known issue, open a command prompt window as administrator and temporarily use the following command toRegistry key KrbtgtFullPacSignature to 0:
-
registro agregar "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD
UseOnce this known issue is resolved, you should stop it.KrbtgtFullPacAssinaturato a higher setting, depending on what your environment allows. We recommend enabling enforcement mode as soon as your environment is ready.
Next stepsWe are working on a fix and will provide an update in a future release.
After installing the updates released on or after November 8, 2022 on your domain controllers, all devices must support AES ticket signing as needed to comply with the security hardening required for CVE-2022-37967.
Next stepsIf you are already running the latest software and firmware for your non-Windows devices and have verified that a common encryption type is available between your Windows domain controllers and your non-Windows devices, you will need to contact the manufacturer of the device (OEM) to support or replace devices with compatible devices.
IMPORTANTWe do not recommend using a workaround to allow authentication from unsupported devices, as this could leave your environment vulnerable.
Unsupported versions of Windows, including Windows XP, Windows Server 2003, Windows Server 2008 SP2, and Windows Server 2008 R2 SP1, cannot be accessed from up-to-date Windows devices unless you have aESU licenseIf you have an ESU license, you must install updates released after November 8, 2022 and ensure that your configuration has a common encryption type available for all devices.
Next stepsInstall updates if they are available for your version of Windows and if you have the appropriate ESU license. If updates aren't available, you'll need to upgrade to a supported version of Windows or move an app or service to a supported device.
IMPORTANTWe do not recommend using a workaround to allow authentication from unsupported devices, as this could leave your environment vulnerable.
This known issue is fixed in the out-of-band updates released to install on November 17, 2022 and November 18, 2022allDomain controllers in your environment. You do not need to install an update or make changes to other servers or client devices in your environment to fix this issue. If you used workarounds or mitigations for this issue, they are no longer needed and we recommend that you remove them.
To get the standalone package for these out-of-band updates, find the KB number in theMicrosoft Update-Catalogue🇧🇷 You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For instructions on WSUS, seeWSUS and the catalog site🇧🇷 For instructions on the Configuration Manager, seeImport updates from the Microsoft Update Catalog.
UseThe following updates are not available from Windows Update and will not be installed automatically.
Cumulative Updates:
-
Windows Server 2022:KB5021656
-
Windows Server 2019:KB5021655
-
Windows Server 2016:KB5021654
UseYou do not need to apply a previous update before you install these cumulative updates. If you have already installed updates released on November 8, 2022, you do not need to uninstall the affected updates before installing subsequent updates, including the updates listed above.
Independent updates:
-
Servidor Windows 2012 R2:KB5021653
-
Windows Server 2012:KB5021652
-
Servidor Windows 2008 R2 SP1:KB5021651(posted November 18, 2022)
-
Windows Server 2008 SP2:KB5021657
Comments
-
If you use security-only updates for these versions of Windows Server, you must install these standalone updates only for the month of November 2022. Security-only updates are not cumulative, and you must also install any previous security-only updates to be current. Monthly cumulative updates are cumulative and include security and all quality updates.
-
If you are using monthly cumulative updates, you must install the two separate updates listed above to resolve this issue, and install the monthly cumulative updates released on November 8, 2022 to receive the November 2022 quality updates. Starting November August 2022 , you do not need to uninstall affected updates before installing subsequent updates, including the updates listed above.
If you've reviewed your environment settings and you're still having issues with a non-Microsoft Kerberos implementation, you need updates or support from the application, developer, or device manufacturer.
This known issue can be resolved by doing one of the following:
-
verdictencryption types supported by msdswith bitwise or set to current default value0x27get its current value. For example:
-
Msds-SupportedEncryptionTypes -bor 0x27
-
-
verdictmsds-SupportEncryptionTypesfor0Allow domain controllers to use the default value0x27.
Next stepsWe are working on a fix and will provide an update in a future release.
glossary
Advanced Encryption Standard (AES) is a block cipher that replaces Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encrypt) and decrypt (unscramble) information. Encryption converts data into an unintelligible form called ciphertext; When the encrypted text is decrypted, the data is converted back to its original form, known as plaintext. AES is used in symmetric key cryptography, which means that the same key is used for encryption and decryption operations. It is also a block cipher, which means that it works with fixed-size blocks of plaintext and ciphertext and requires that the size of the plaintext and ciphertext be an exact multiple of that block size. AES is also known as Rijndael symmetric encryption algorithm[FIPS197].
Kerberos is a computer network authentication protocol that relies on "tickets" to allow communicating nodes on a network to securely prove their identities to each other.
The Kerberos service that implements the authentication and ticketing services specified in the Kerberos protocol. The service runs on computers selected by the domain or domain administrator; it is not present on all computers on the network. You must have access to a database of accounts for the realm you serve.KDCare integrated into thedomain controllerOccupation. It is a network service that provides clients with tickets to use for authentication services.
RC4-HMAC (RC4) is a symmetric encryption algorithm with a variable key length. For more information, see[SCHNEIDER]Section 17.1.
A relatively short-lived symmetric key (a cryptographic key negotiated by the client and the server based on a shared secret). Asession keyThe time to live is limited by the session to which it is associated. Asession keyit must be strong enough to support cryptanalysis for the lifetime of the session.
A special type of ticket that can be used to obtain other tickets. The Ticket Granting Ticket (TGT) is obtained after initial authentication on the Authentication Service (AS) switch; After that, users no longer need to present their credentials, but can use TGT to get follow-up tickets.
FAQs
What is CVE-2022-37966? ›
Certain versions of Fedora from Fedoraproject contain the following vulnerability: Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability. CVE-2022-37966 has been assigned by. secure@microsoft.com to track the vulnerability - currently rated as HIGH severity.
How do I manage Kerberos protocol changes? ›- UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.
- MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.
- MONITOR events filed during Audit mode to secure your environment.
Resolution. To resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests.
What happened to Kerberos authentication after installing the November 2022 OOB updates Microsoft Community Hub? ›With the November 2022 security update, some things were changed as to how the Kerberos Key Distribution Center (KDC) Service on the Domain Controller determines what encryption types are supported by the KDC and what encryption types are supported by default for users, computers, Group Managed Service Accounts (gMSA), ...
What does a CVE stand for? ›common vulnerabilities and exposures (CVE)
Where is Kerberos used? ›Although Kerberos is found everywhere in the digital world, it is employed heavily on secure systems that depend on reliable auditing and authentication features. Kerberos is used in Posix authentication, and Active Directory, NFS, and Samba. It's also an alternative authentication system to SSH, POP, and SMTP.
Why is Kerberos on my computer? ›Kerberos is used to authenticate entities requesting access to network resources, especially in large networks to support SSO. The protocol is used by default in many widely used networking systems. Some systems in which Kerberos support is incorporated or available include the following: Amazon Web Services.
How do I check my Kerberos settings? ›- In the administrative console, click Security > Global security.
- From Authentication, click Kerberos configuration.
- Enter your Kerberos service name. ...
- Enter the Kerberos configuration file name or click Browse to locate it. ...
- Optional: Enter the Kerberos keytab file name or click Browse to locate it.
How to check and delete Kerberos tickets: To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session.
How do I reset my Kerberos cache? ›Open Microsoft PowerShell and run the command klist purge to clear the Kerberos ticket cache.
How do I disable Kerberos authentication in Chrome? ›
- Navigate through Menu bar to Tools -> Internet Options -> Security.
- Select Local Intranet and Click on "Custom Level" button.
- Scroll to bottom of the window to User Authentication section, select "Prompt for user name and password"
- Click Ok, Apply and Ok to save changes.
This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
Should I disable Krbtgt account? ›Every AD domain has an associated KRBTGT account to encrypt and sign all Kerberos tickets for the domain. The KRBTGT account should stay disabled.
How do I know if Kerberos authentication is working? ›To determine whether a problem is occurring with Kerberos authentication, check the System event log for errors from any services (such as Kerberos, kdc, LsaSrv, or Netlogon) on the client, target server, or domain controller that provide authentication.
Do hackers use CVE? ›Can Hackers Use CVE to Attack My Organization? Yes, hackers can use CVE to attack your organization. While it works to your benefit to identify vulnerabilities, hackers are also on the lookout for which of these vulnerabilities they can exploit.
Who would dispute a CVE? ›Incomplete information: A Published CVE Record may lack sufficient information for the vulnerability to be re-created by a CVE Program stakeholder. In this case, the technology vendor, maintainer, or third party may dispute the CVE Record.
Who is behind CVE? ›CVE is sponsored by the US Federal Government, with both the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) contributing operating funds. CVE is publicly available and free for anyone to use.
What port does Kerberos run on? ›Kerberos clients need to send UDP and TCP packets on port 88 and receive replies from the Kerberos servers.
What port uses Kerberos? ›Ports 88 and 464 are the standard ports for Kerberos authentication. These ports are configurable. Port 464 is only required for password change operations. Ports 88 and 464 can use either the TCP or UDP protocol depending on the packet size and your Kerberos configuration, see Section 2.2.
What is an example of Kerberos? ›Kerberos implementations are used on a number of operating systems and networking systems to verify user accounts. Examples include: Amazon Web Services (AWS) Google Cloud.
Has Kerberos been hacked? ›
Yes. Because it is one of the most widely used authentication protocols, hackers have developed several ways to crack into Kerberos. Most of these hacks take advantage of a vulnerability, weak passwords, or malware – sometimes a combination of all three.
Why is Kerberos installed on my Mac? ›The Kerberos SSO extension also helps your users manage their Active Directory accounts. Additionally, it allows users to change their Active Directory passwords and notifies them when a password is close to expiring.
What are Kerberos attacks? ›Kerberos is an exploitation attack that extracts service account credentials with a combination of weak encryption and poor service account passwords.
Which tool should you use to enable Kerberos security? ›The section Web Services Authentication provides information about the Kerberos authentication in Web services published by Virtual DataPort. To configure the Administration Tool, click the menu Tools > Admin Tool preferences. In this wizard, provide the following details: Select Kerberos authentication.
How do I know if Kerberos is enabled in Windows? ›These policy settings are located in \Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
How do I disable Kerberos logging? ›To deactivate Kerberos event logging, delete the LogLevel registry key value or change its value data to 0 .
How do I open Kerberos configuration manager? ›...
To generate the SPN List from the command line:
- Go to the command line. Note. ...
- Switch to the folder that contains KerberosConfigMgr.exe.
- Enter KerberosConfigMgr.exe -q -l .
- For more command-line options, type KerberosConfigMgr.exe -h .
The cached credentials are stored in the local machine's registry inside of the HKEY_LOCAL_MACHINE\Security\Cache key, which contains sub-keys NL$1 to NL$10. The last 10 users' login username and password verifier are stored as the values of each of these keys.
How do I start Kerberos configuration manager? ›- After the installation is complete successfully, double click KerberosConfigMgr.exe to launch the application.
- To troubleshoot a connectivity issue with SQL Server, connect to the target computer with a domain user account that has user permission to that computer.
Google Chrome supports Kerberos authentication. If you configure Internet Explorer, then no additional settings are required for Google Chrome because it uses Internet Explorer settings.
How do I enable Kerberos authentication in Chrome? ›
How to Enable Kerberos Authentication in Google Chrome. You can configure these setting using GPO for Chrome (AuthServerWhitelist policy) or using the registry parameter AuthNegotiateDelegateWhitelist located in registry key HKLM\SOFTWARE\Policies\Google\Chrome (How to deploy a registry keys using GPO).
How do I enable Kerberos in my browser? ›- Go to Control Panel and select Internet Options > Advanced.
- On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).
The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.
Why do I keep getting authentication failed? ›An "Authentication Failed" error means the email server cannot verify that your email access is authorized. This is typically due to a mistyped password, but it can also be caused by an incorrect username, connecting to the wrong server, or blacklisting.
What causes authentication failure? ›If you receive this error message, that means that the username and/or password that you have entered is incorrect. The error message states “Authentication failed! Try again.” You may have locked your account after too many attempts and your account will need to be reset.
What is the main drawback of using Kerberos? ›The primary weakness of Kerberos is that the KDC stores the keys of all principals (clients and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm. The KDC and TGS are also single points of failure: if they go down, no new credentials can be issued.
Why should I use Kerberos? ›Kerberos is designed to completely avoid storing any passwords locally or having to send any passwords through the internet and provides mutual authentication, meaning both the user and the server's authenticity are verified.
Should I disable security accounts manager? ›Is it OK to disable the Security Accounts Manager service? The service's description states: Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
Should I disable the domain administrator account? ›The built-in Administrator is basically a setup and disaster recovery account. You should use it during setup and to join the machine to the domain. After that you should never use it again, so disable it.
Does Windows 10 use Kerberos? ›Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs. By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address.
What is the CVE for PrintNightmare? ›
(Updated July 2, 2021) For new information and mitigations, see Microsoft's updated guidance for the Print spooler vulnerability (CVE-2021-34527) .
What is the CVE for Log4j? ›CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. Log4j2 allows Lookup expressions in the data being logged exposing the JNDI vulnerability, as well as other problems, to be exploited by end users whose input is being logged.
What does CVE 2022 1096 do? ›Certain versions of Chrome from Google contain the following vulnerability: Type confusion in V8 in Google Chrome prior to 99.0. 4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
What CVE is print nightmare? ›PrintNightmare was a critical security vulnerability affecting the Microsoft Windows operating system. The vulnerability occurred within the print spooler service. There were two variants, one permitting remote code execution (CVE-2021-34527), and the other leading to privilege escalation (CVE-2021-1675).
How serious is PrintNightmare? ›PrintNightmare is considered extremely dangerous for two main reasons. First, Windows Print Spooler being enabled by default on all Windows-based systems, including domain controllers and computers with system admin privileges, makes all such computers vulnerable.
Is PrintNightmare still a thing? ›Microsoft's PrintNightmare update is causing a lot of problems with network printers mapped on a print server - Microsoft Q&A. This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Which software is vulnerable to Log4j? ›| # | Vendor | Software |
|---|---|---|
| 1 | Alertus | Alertus Console |
| 2 | Amazon Web Services | Amazon Linux AMI |
| 3 | Amazon Web Services | Amazon Linux AMI |
| 4 | Amazon Web Services | Amazon Linux AMI |
You can safely remove these files. Also, these files don't include the log4j-core-2.7. jar which is the jar containing the vulnerability, so there is no exploit risk.
Who is vulnerable to Log4j? ›Any business that uses a vulnerable Log4j library to parse log data in their backend systems is vulnerable to a Log4j cyberattack. This logger is capable of executing code based on input, and because the vulnerability allows attackers to manipulate input data, the logger could be forced to execute malicious code.
Is aware that an exploit for CVE-2022-1096 exists in the wild? ›“Google is aware that an exploit for CVE-2022-1096 exists in the wild,” the company notes in its advisory, without providing further details on the vulnerability itself or on the observed exploitation. A patch for this flaw has been included in Chrome 99.0.
What is the latest Google Chrome vulnerability? ›
Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen. The Imperva Red Team recently disclosed a vulnerability, dubbed CVE-2022-3656, affecting over 2.5 billion users of Google Chrome and Chromium-based browsers.
Is PrintNightmare fixed? ›In June of 2021, after we installed a patch from MS, users couldn't connect to network printers without having admin right. Per Microsoft, the patch named KB5005625 released on Sept 21, 2021 which was superseded by KB5012647 would fix the issue for good.
Does Microsoft use CVE? ›November 8, 2022 update – Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems.
Can PrintNightmare be exploited remotely? ›To exploit the PrintNightmare vulnerability using the MS-PAR protocol, the attacker will need: Print Spooler service running on the target machine and allowing remote connections (enabled by default). Username and password of any user in the domain.