The Health Sector Cybersecurity Coordination Center (HC3) has warned its members about the risk posed to Microsoft Windows Servers and Active Directory installations after the disclosure last month of a flaw in the Active Directory.
In its January Cybersecurity Vulnerability Bulletin, published on Tuesday, the HC3 listed the newly disclosed security hole, CVE-2020-16996 - as one of nine “egregious” flaws patched by Microsoft in December and one that is “likely to impact healthcare organizations.”
The Health Sector Cybersecurity Coordination Center (HC3) was created by the Department of Health and Human Services to facilitate cybersecurity information sharing across the Health and Public Health Sector (HPH).
The security vulnerability was patched on December 8 as part of Microsoft’s monthly “Patch Tuesday” release, which included 58 patches, 22 of which were identified as remote code execution (RCE) vulnerabilities. The flaw affects a wide range of Windows Server versions stretching from Windows Server 2008 Service Pack 2 to Windows Server 2019.
According to guidance issued by Microsoft, Active Directory installations that are making use of the Protected Users feature and Resource-Based Constrained Delegation (RBCD) are particularly at risk from CVE-2020-16996. The December patch adds support for a new Windows registry key: NonForwardableDelegation to “enable protection on Active Directory domain controller servers.” Microsoft recommends installing the patch on “all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs).”
However, the full fix is actually a two stage process, with the next stage reportedly coming in February, when another update will introduce something called Active Directory “Enforcement Phase.” That is described as a feature that will “(enforce) the changes to address CVE-2020-16996. Active Directory domain controllers will now be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled).”
The changes are likely linked to another vulnerability disclosed in recent months, CVE-2020-17049: the so-called “Bronze Bit” Kerberos attack. (“Bronze” being a reference to Golden Ticket and Silver Ticket Kerberos forgery attacks.) As noted in this excellent write up over at netspi.com, Bronze Bit attacks allow any attacker with a foothold within a target environment and the password hash of a service account to authenticate to a second service by posing as any user, including members of the Protected Users group.
This is possible because of a flaw in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). A compromised service that is configured to use KCD can manipulate a service ticket that is not valid for delegation and force the Key Distribution Center to accept it.
The attack works by manipulating the S4U2self protocol, a Kerberos extension introduced by Microsoft, to obtain a service ticket for a targeted user to the compromised service, but using the service’s password hash. An attacker using a Bronze Bit attack then manipulates this service ticket by changing its forwardable flag to “1” (yes). This tampered service ticket is then used with the S4U2proxy protocol to obtain an actual service ticket to the targeted service for the targeted user. With that, an attacker has free rein to impersonate the targeted user: sending requests to the targeted service using the targeted user’s authority and so on.
The changes introduced by Microsoft in the December patch - specifically: adding the NonForwardableDelegation registry value - is really about making features like Privileged User and Resource Based Constrained Delegation work in the way they were envisioned said QOMPLX Chief Technology Officer Andrew Sellers.
For organizations in healthcare and elsewhere who want to eliminate the Bronze Bit attack vector, Sellers notes that the patches will need to be applied throughout an Active Directory forest before the enforcement mode registry key can be enabled in all Active Directory Domain Controllers and Read-Only Domain Controllers to ensure the new protection features actually work.
There are many varieties of Kerberos Delegation Attacks, which we wrote about here. Those that work with Resource Based Constrained Delegation, which was introduced with Windows Server 2012 are rare.
The HC3 Bulletin also lists eight other critical flaws including a vulnerability allowing attackers to bypass the Windows Lock Screen (CVE-2020-17099) and two, separate RCE vulnerabilities affecting Microsoft Sharepoint (CVE-2020-17121 and CVE-2020-17118).