Update 2015.11.13: Haken posted Blackhat slides [pdf] and a full paper [pdf]. The bug itself is related to design of a changing authentication feature. With their own Samba server, an attacker can “poison” the target system’s LSA local cache to enable the bypass by forcing a password reset:
“Fundamentally, this is the root of the issue described in this paper: the password reset exchange does not require the DC to provide authentication (i.e. an unknown machine password) and the client-side implementation of this exchange will update the local credentials cache after a successful exchange.”
Summing it up, the bug appears to be a design flaw in offline password management for domain user accounts. It is a bit of a corner case, but it’s significant for travelers.
“I suspect this weakness in the protocol comes about because this threat model was not applicable when it was originally designed. At that point in time, an attacker having physical control of a client machine meant it was already totally compromised. However, as this paper demonstrates, the threat model needs to be revisited. What was once a perfectly reasonable protocol breaks down under this revised threat model. This is a good lesson to be taken from this research. Threat models can change over time even when the software in question doesn’t. However, when threat models change, the security architecture of applications may need to be carefully revised along with them.”
It also appears that Microsoft’s Bulletin needs to be changed. According to Haken, one requirement is that “the machine has joined a domain and an authorized domain user has previously logged into the machine”, and not “a domain user must be logged on to the target machine”, which wouldn’t make sense.
Original content: Microsoft posted four critical bulletins today, along with another eight rated Important and lesser. Microsoft’s summary is at the Technet site. All in all, the software maker is patching a large number of vulnerabilities this month, with 37 CVE listed vulnerabilities being fixed with the four critical Bulletins alone. On the bright side, Microsoft claims that none of these exploits are being publicly exploited at the time of notification.
Software affected with Bulletins rated critical are listed here (MS15-112, MS15-113, MS15-114, MS15-115):
- Web browsers Microsoft Edge and Internet Explorer
- Windows Journal
- Windows’ font handing code
Software affected with Bulletins rated important are listed here (MS15-116, MS15-117, MS15-118, MS15-119, MS15-120, MS15-121, MS15-122, MS15-123):
- Microsoft Office
- Windows NDIS, IPSEC, Schannel, and winsock (network software)
- Microsoft .NET Framework
- Services on Sharepoint and Office Web Apps
- Skype for Business and Microsoft Lync
Of the Bulletins rated “Important”, 16 CVE listed vulnerabilities were being fixed.
According to Microsoft, “Kerberos fails to check the password change of a user signing into a workstation. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker.
An attacker who has physical access to a target machine could bypass Kerberos authentication by connecting a workstation to a malicious Kerberos Key Distribution Center (KDC).
The following mitigating factors may be helpful in your situation:
- This bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key.
- A domain user must be logged on to the target machine for the attack to succeed.”
Significant updates today also include Google announcing their deprecation of support for the Chrome browser on Windows XP and Windows Vista, along with Mac OS X 10.6, 10.7, and 10.8. While some organizations in the ICS or health care space may want to continue running their investment into these systems on their plant floors or facilities, this deprecation is another reason to upgrade those systems.