Microsoft has disclosed two critical vulnerabilities in Windows Kerberos authentication that could allow attackers to bypass security mechanisms and escalate privileges. CVE-2024-26248 and CVE-2024-29056 both involve flaws in how Windows validates Privilege Attribute Certificates (PACs) during Kerberos authentication, potentially enabling sophisticated attack vectors.

Understanding the Kerberos PAC Mechanism

The Kerberos authentication protocol uses Privilege Attribute Certificates (PACs) to convey user authorization data between domain controllers and services. A PAC contains critical security information including:

  • User Security Identifiers (SIDs)
  • Group membership data
  • User rights assignments
  • Resource access permissions

During authentication, Windows validates PAC signatures to ensure they haven't been tampered with. These newly discovered vulnerabilities undermine this validation process.

Technical Breakdown of the Vulnerabilities

CVE-2024-26248: PAC Signature Spoofing

This vulnerability (CVSS score 8.1) allows attackers to forge PAC signatures when:

  • The KDC doesn't properly validate the PAC's server signature
  • Services accept authentication without proper PAC verification
  • Attackers can intercept and modify Kerberos tickets

Successful exploitation could enable:

  • Unauthorized privilege escalation
  • Lateral movement across networks
  • Bypass of security controls

CVE-2024-29056: PAC Validation Bypass

More severe (CVSS score 9.0), this flaw permits:

  • Complete bypass of PAC validation checks
  • Creation of forged tickets with elevated privileges
  • Impersonation of domain administrators

Impact Analysis

These vulnerabilities affect all supported Windows versions:

  • Windows 10/11
  • Windows Server 2012 R2 through 2022
  • Azure Stack systems

Potential attack scenarios include:

  • Enterprise networks using Active Directory
  • Cloud environments with domain-joined systems
  • Hybrid Azure AD deployments

Mitigation Strategies

Microsoft has released patches through April 2024 Patch Tuesday. Recommended actions:

  1. Immediate Patching
    - Install KB5036893 (Windows 10)
    - Install KB5036892 (Windows 11)
    - Server-specific updates for affected versions

  2. Temporary Workarounds
    - Restrict Kerberos delegation
    - Implement SMB signing requirements
    - Enable Windows Defender Attack Surface Reduction rules

  3. Detection Measures
    - Monitor for unusual Kerberos ticket requests
    - Audit authentication events (Event ID 4769)
    - Implement LSA Protection

Long-Term Security Recommendations

  • Enforce strict Kerberos armoring (FAST)
  • Implement certificate-based authentication where possible
  • Regularly audit domain controller logs
  • Consider migrating to Azure AD for cloud-first environments

Historical Context

These vulnerabilities continue a trend of Kerberos-related flaws:

  • 2022: CVE-2022-37966 (Kerberos RC4-HMAC)
  • 2020: CVE-2020-17049 (PAC validation bypass)
  • 2014: MS14-068 (PAC forgery)

FAQ Section

Q: Can these be exploited remotely?
A: Yes, attackers could exploit these over the network without physical access.

Q: Are workstations vulnerable?
A: Yes, but servers and domain controllers are primary targets.

Q: Is multi-factor authentication effective?
A: MFA helps but doesn't prevent all exploitation scenarios.

Future Outlook

Microsoft is enhancing PAC validation in future Windows releases with:

  • Stricter cryptographic requirements
  • Improved logging capabilities
  • Integration with Windows Defender for Identity

Organizations should treat these vulnerabilities as high priority due to their potential impact on enterprise security postures.