ID

VAR-201411-0154


CVE

CVE-2014-6324


TITLE

Microsoft Windows Kerberos Key Distribution Center (KDC) fails to properly validate Privilege Attribute Certificate (PAC) signature

Trust: 0.8

sources: CERT/CC: VU#213119

DESCRIPTION

The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability.". Microsoft Windows of Kerberos Key Distribution Center (KDC) Is Privilege Attribute Certificate (PAC) There is a vulnerability that fails to verify signatures. Microsoft Windows of Kerberos Key Distribution Center (KDC) Is Kerberos Included in ticket request Privilege Attribute Certificate (PAC) I have an issue where my signature is not properly verified (CWE-347) . PAC By crafting the information contained in, users with domain credentials may gain higher privileges. CWE-347: Improper Verification of Cryptographic Signature https://cwe.mitre.org/data/definitions/347.html According to the developer, we are confirming attack activity using this vulnerability. For more information on vulnerabilities, Microsoft Security Research and Defense Blog It is described in. Microsoft Security Research and Defense Blog: Additional information about CVE-2014-6324 http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspxUsers with domain credentials can gain domain administrator privileges and take over all computers in the domain, including domain controllers. Microsoft Windows is prone to a remote privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges within the context of the application; this can result in the attacker gaining complete control of the affected system. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04526330 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04526330 Version: 1 HPSBMU03224 rev.1 - HP LoadRunner and Performance Center, Load Generator Virtual Machine Images, running Windows, Remote Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-01-23 Last Updated: 2015-01-23 Potential Security Impact: Remote elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP LoadRunner and Performance Center, Load Generator Virtual Machine Images, running Windows . The vulnerability in Windows running in virtual machine images provided with LoadRunner and Load Generator could be exploited remotely to allow elevation of privilege. References: CVE-2014-6324 MS14-068 SSRT101864 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Verison v12.01 of HP LoadRunner and Performance Center, Load Generator Virtual Machine Images, running Windows Note: This vulnerability applies to HP LoadRunner and Performance Center, Load Generator Virtual Machine Images, running Windows for version v12.01 only, and only for load generators that are currently deployed in the cloud using the Windows OS. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6324 (AV:N/AC:L/Au:S/C:C/I:C/A:C) 9.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following instructions to resolve the vulnerability in HP LoadRunner and Performance Center, Load Generator Virtual Machine Images, running Windows https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea rch/document/KM01291238 Note: The issue is also resolved in HP LoadRunner and Performance Center, Load Generator Virtual Machine Images provided in v12.02 and subsequent versions. HISTORY Version:1 (rev.1) - 23 January 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlTCmtgACgkQ4B86/C0qfVmhxQCfWp4PL5wmXJOmTSBmACVXyLP6 7LUAnjXzF6Ir9P/Yreuv1PPOGdi2lKW6 =Lbqp -----END PGP SIGNATURE-----

Trust: 2.79

sources: NVD: CVE-2014-6324 // CERT/CC: VU#213119 // JVNDB: JVNDB-2014-005523 // BID: 70958 // VULMON: CVE-2014-6324 // PACKETSTORM: 130297

AFFECTED PRODUCTS

vendor:microsoftmodel:windows server 2012scope:eqversion:r2

Trust: 2.4

vendor:microsoftmodel:windows server 2012scope:eqversion: -

Trust: 1.6

vendor:microsoftmodel:windows server 2008scope:eqversion:r2

Trust: 1.6

vendor:microsoftmodel:windows server 2003scope:eqversion:sp2

Trust: 1.4

vendor:microsoftmodel:windows 8scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows 8.1scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows server 2008scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows server 2003scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel:windows 7scope:eqversion: -

Trust: 1.0

vendor:microsoftmodel: - scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:hp loadrunnerscope:eqversion:12.01

Trust: 0.8

vendor:hewlett packardmodel:performance centerscope:eqversion:12.01

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:for itanium-based systems sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:x64 edition sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:for 32-bit systems sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:for 32-bit systems sp2 (server core install )

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:for itanium-based systems sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:for x64-based systems sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:for x64-based systems sp2 (server core install )

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2 for itanium-based systems sp1

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2 for x64-based systems sp1

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2 for x64-based systems sp1 (server core install )

Trust: 0.8

vendor:microsoftmodel:windows server 2012scope:eqversion:none

Trust: 0.8

vendor:microsoftmodel:windows server 2012scope:eqversion:(server core install )

Trust: 0.8

vendor:microsoftmodel:windows server 2012scope:eqversion:r2 (server core install )

Trust: 0.8

vendor:microsoftmodel:windows vistascope:eqversion: -

Trust: 0.6

vendor:microsoftmodel:windows 8.1scope: - version: -

Trust: 0.6

vendor:microsoftmodel:windows 8scope: - version: -

Trust: 0.6

vendor:microsoftmodel:windows 7scope: - version: -

Trust: 0.6

vendor:microsoftmodel:windows server 2008scope:eqversion:sp2

Trust: 0.6

vendor:microsoftmodel:windows vista edition sp2scope:eqversion:x64

Trust: 0.3

vendor:microsoftmodel:windows vista sp2scope: - version: -

Trust: 0.3

vendor:microsoftmodel:windows server r2 for x64-based systems sp1scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server for x64-based systems sp2scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server for itanium-based systems sp2scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server for 32-bit systems sp2scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server itanium sp2scope:eqversion:2003

Trust: 0.3

vendor:microsoftmodel:windows server sp2scope:eqversion:2003

Trust: 0.3

vendor:microsoftmodel:windows for x64-based systems sp1scope:eqversion:7

Trust: 0.3

vendor:microsoftmodel:windows for 32-bit systems sp1scope:eqversion:7

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchange webportalscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:communication server telephony managerscope:eqversion:10004.0

Trust: 0.3

vendor:avayamodel:communication server telephony managerscope:eqversion:10003.0

Trust: 0.3

vendor:avayamodel:callpilotscope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:callpilotscope:eqversion:4.0

Trust: 0.3

sources: CERT/CC: VU#213119 // BID: 70958 // JVNDB: JVNDB-2014-005523 // CNNVD: CNNVD-201411-318 // NVD: CVE-2014-6324

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-6324
value: HIGH

Trust: 1.0

NVD: CVE-2014-6324
value: HIGH

Trust: 0.8

IPA: JVNDB-2014-005523
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201411-318
value: CRITICAL

Trust: 0.6

VULMON: CVE-2014-6324
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-6324
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: CVE-2014-6324
severity: HIGH
baseScore: 9.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2014-005523
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2014-6324
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CERT/CC: VU#213119 // VULMON: CVE-2014-6324 // JVNDB: JVNDB-2014-005523 // CNNVD: CNNVD-201411-318 // NVD: CVE-2014-6324

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2014-005523 // NVD: CVE-2014-6324

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-318

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201411-318

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005523

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#213119 // VULMON: CVE-2014-6324

PATCH

title:HPSBMU03224 SSRT101864url:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c04526330

Trust: 0.8

title:MS14-068url:https://technet.microsoft.com/en-us/library/security/ms14-068.aspx

Trust: 0.8

title:Library [MS-PAC]: Privilege Attribute Certificate Data Structureurl:http://msdn.microsoft.com/en-us/library/cc237955.aspx

Trust: 0.8

title:Additional information about CVE-2014-6324url:http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

Trust: 0.8

title:MS14-068url:https://technet.microsoft.com/ja-jp/library/security/ms14-068.aspx

Trust: 0.8

title:Windows Vista Security update (KB3011780)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52388

Trust: 0.6

title:For x64 Systematic Windows 7 Security update (KB3011780)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52392

Trust: 0.6

title:Windows 8.1 Security update (KB3011780)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52396

Trust: 0.6

title:Security Update for Windows Server 2003 for Itanium-based Systems (KB3011780)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52387

Trust: 0.6

title:Windows 7 Security update (KB3011780)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52391

Trust: 0.6

title:as-rep-roasturl:https://github.com/bigbael/as-rep-roast

Trust: 0.1

title:pykekurl:https://github.com/mubix/pykek

Trust: 0.1

title:CVE-PoC-collectionurl:https://github.com/Dark-Vex/CVE-PoC-collection

Trust: 0.1

title:MMSBGAurl:https://github.com/mynameisv/MMSBGA

Trust: 0.1

title:ActiveDirectoryAttacksurl:https://github.com/ErdemOzgen/ActiveDirectoryAttacks

Trust: 0.1

title:Active-Directory-Kill-Chain-Attack-Defenseurl:https://github.com/Nieuport/Active-Directory-Kill-Chain-Attack-Defense

Trust: 0.1

title:infosecn1nja-AD-Attack-Defenseurl:https://github.com/mishmashclone/infosecn1nja-AD-Attack-Defense

Trust: 0.1

title:AD-Attack-Defenseurl:https://github.com/s0wr0b1ndef/AD-Attack-Defense

Trust: 0.1

title:AD-Attack-Defenseurl:https://github.com/infosecn1nja/AD-Attack-Defense

Trust: 0.1

title:Securityurl:https://github.com/bodycat/Security

Trust: 0.1

title:active-directory-pentesturl:https://github.com/geeksniper/active-directory-pentest

Trust: 0.1

title:AD-Attack-Defenseurl:https://github.com/sunzu94/AD-Attack-Defense

Trust: 0.1

title:Boot2root-CTFs-Writeupsurl:https://github.com/Jean-Francois-C/Boot2root-CTFs

Trust: 0.1

title:Boot2root-CTFs-Writeupsurl:https://github.com/Jean-Francois-C/Boot2root-CTFs-Writeups

Trust: 0.1

title:WindowsElevationurl:https://github.com/Al1ex/WindowsElevation

Trust: 0.1

sources: VULMON: CVE-2014-6324 // JVNDB: JVNDB-2014-005523 // CNNVD: CNNVD-201411-318

EXTERNAL IDS

db:NVDid:CVE-2014-6324

Trust: 3.7

db:USCERTid:TA14-323A

Trust: 1.9

db:CERT/CCid:VU#213119

Trust: 1.6

db:BIDid:70958

Trust: 1.4

db:SECTRACKid:1031237

Trust: 1.1

db:SECUNIAid:62556

Trust: 1.1

db:JVNid:JVNVU99458129

Trust: 0.8

db:JVNDBid:JVNDB-2014-005523

Trust: 0.8

db:NSFOCUSid:28394

Trust: 0.6

db:CNNVDid:CNNVD-201411-318

Trust: 0.6

db:EXPLOIT-DBid:35474

Trust: 0.1

db:VULMONid:CVE-2014-6324

Trust: 0.1

db:PACKETSTORMid:130297

Trust: 0.1

sources: CERT/CC: VU#213119 // VULMON: CVE-2014-6324 // BID: 70958 // JVNDB: JVNDB-2014-005523 // PACKETSTORM: 130297 // CNNVD: CNNVD-201411-318 // NVD: CVE-2014-6324

REFERENCES

url:http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

Trust: 1.9

url:http://www.us-cert.gov/ncas/alerts/ta14-323a

Trust: 1.9

url:http://www.securitytracker.com/id/1031237

Trust: 1.1

url:http://marc.info/?l=bugtraq&m=142350249315918&w=2

Trust: 1.1

url:http://www.securityfocus.com/bid/70958

Trust: 1.1

url:http://secunia.com/advisories/62556

Trust: 1.1

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068

Trust: 1.1

url:https://technet.microsoft.com/library/security/ms14-068

Trust: 0.8

url:http://msdn.microsoft.com/en-us/library/cc237955.aspx

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6324

Trust: 0.8

url:http://www.ipa.go.jp/security/ciadr/vul/20141119-ms.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2014/at140048.html

Trust: 0.8

url:http://jvn.jp/vu/jvnvu99458129/index.html

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6324

Trust: 0.8

url:http://www.kb.cert.org/vuls/id/213119

Trust: 0.8

url:http://www.npa.go.jp/cyberpolice/topics/?seq=14971

Trust: 0.8

url:http://technet.microsoft.com/security/bulletin/ms14-068

Trust: 0.6

url:http://www.nsfocus.net/vulndb/28394

Trust: 0.6

url:http://www.microsoft.com

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/264.html

Trust: 0.1

url:https://github.com/bigbael/as-rep-roast

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.exploit-db.com/exploits/35474/

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=36460

Trust: 0.1

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/

Trust: 0.1

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/

Trust: 0.1

url:http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-6324

Trust: 0.1

url:https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea

Trust: 0.1

sources: CERT/CC: VU#213119 // VULMON: CVE-2014-6324 // BID: 70958 // JVNDB: JVNDB-2014-005523 // PACKETSTORM: 130297 // CNNVD: CNNVD-201411-318 // NVD: CVE-2014-6324

CREDITS

The Qualcomm Information Security & Risk Management team, with special recognition for Tom Maddock

Trust: 0.3

sources: BID: 70958

SOURCES

db:CERT/CCid:VU#213119
db:VULMONid:CVE-2014-6324
db:BIDid:70958
db:JVNDBid:JVNDB-2014-005523
db:PACKETSTORMid:130297
db:CNNVDid:CNNVD-201411-318
db:NVDid:CVE-2014-6324

LAST UPDATE DATE

2024-09-09T23:15:32.834000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#213119date:2014-11-19T00:00:00
db:VULMONid:CVE-2014-6324date:2019-02-26T00:00:00
db:BIDid:70958date:2015-07-15T00:14:00
db:JVNDBid:JVNDB-2014-005523date:2015-05-27T00:00:00
db:CNNVDid:CNNVD-201411-318date:2014-11-19T00:00:00
db:NVDid:CVE-2014-6324date:2024-07-16T17:48:24.083

SOURCES RELEASE DATE

db:CERT/CCid:VU#213119date:2014-11-18T00:00:00
db:VULMONid:CVE-2014-6324date:2014-11-18T00:00:00
db:BIDid:70958date:2014-11-11T00:00:00
db:JVNDBid:JVNDB-2014-005523date:2014-11-20T00:00:00
db:PACKETSTORMid:130297date:2015-02-09T21:09:03
db:CNNVDid:CNNVD-201411-318date:2014-11-19T00:00:00
db:NVDid:CVE-2014-6324date:2014-11-18T23:59:02.503