Kerberos, a computer-network authentication protocol, can be bypassed using a new attack technique revealed with a proof-of-concept exploit code. The technique, dubbed Bronze Bit attack, exploits the CVE-2020-17049 vulnerability. This attack technique is a variation of the older Golden Ticket and Silver Ticket attacks.
What has happened?
Using this technique, after compromising a network, an attacker can extract password hashes to bypass and forge credentials for other systems on the same network, as long as the network uses the Kerberos authentication protocol.
- The Kerberos computer-network authentication protocol has been included in all official Windows versions since 2000.
- The attack targets S4U2self protocol to get a service ticket for a targeted user to the compromised service.
- After obtaining the service ticket, the attacker manipulates this service ticket by making sure that its "Forwardable" bit is set to 1.
- The attack is possible because the Forwardable flag is not signed and the Kerberos process can not detect the tampered tickets.
Additional info
This Bronze Bit attack can bypass two existing protections for Kerberos delegation. In addition, this attack technique provides an opportunity for imitation, privilege escalation, and lastly lateral movement.
- This attack is named Bronze Bit instead of Bronze Ticket as it relies on flipping only a single bit.
- The exploit has been developed as an extension of the Impacket framework offered by SecureAuth.
Conclusion
The disclosure and public availability of such a proof-of-concept exploit magnifies the risk across sensitive network-connected services. Thus, experts suggest applying December 8, 2020 updates released by Microsoft that fix all known issues related to CVE-2020-17049. In addition, users are recommended to frequently update their operating system and other critical applications.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/c09a_shutterstock_435963751.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_29461972_MEDIUM.jpg)
