domain controllers Archives

Winsage

March 5, 2025

Microsoft To Remove DES Encryption from Windows 11 24H2 & Windows Server 2025

Microsoft plans to phase out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in future Windows releases, specifically affecting Windows Server 2025 and Windows 11 version 24H2 after updates on or after September 9, 2025. This is part of Microsoft's Secure Future Initiative aimed at eliminating outdated encryption technologies. DES, established in 1977, has become vulnerable to security breaches and was integrated into Kerberos in 1993. While Windows has not relied solely on DES, it has been disabled by default since Windows 7 and Windows Server 2008 R2, although it remains available as an optional feature. After September 2025, affected systems will enter "DES in Kerberos Disabled Mode," making DES unsupported. Microsoft advises organizations to identify and address any existing DES usage before the deadline, recommending the use of PowerShell scripts to detect DES in security event logs and to disable it through Active Directory and Group Policy settings. Organizations should transition to more secure ciphers like the Advanced Encryption Standard (AES) and ensure compatibility with AES by changing passwords for accounts on older domain controllers.

Winsage

March 5, 2025

Zero Day Initiative — CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy

Integer overflows and memory corruption errors have been identified during the encoding of the kerb-message OCTET STRING field in the KDC Proxy. The ASN1encoder.buf is allocated a buffer of size 1,024, while ASN1encoder.current points to ASN1_encoder.buf + 4. The KDC Proxy accepts Kerberos responses with a maximum size of 4,294,967,295. When a Kerberos response is sent with a length from 4,294,967,291 to 4,294,967,295, an overflow occurs due to the addition being stored in a 4-byte unsigned variable, leading to a heap buffer overflow when ASN1BEREncCharString() calls memcpy(). Similarly, for responses with lengths between 4,294,966,267 and 4,294,967,290, an overflow occurs during reallocation, causing an out-of-bounds write or heap buffer overflow. An edge case arises when passing 0 as the new size to LocalReAlloc(), leading to an access violation. A remote, unauthenticated attacker could exploit this vulnerability for arbitrary code execution. Detection involves monitoring traffic on UDP port 389 and TCP port 88, focusing on Kerberos responses. If a response exceeds 0x80000000 bytes, it should be flagged as suspicious. The vulnerability was patched in November, and only KDC servers are at risk; domain controllers are unaffected. Immediate patching of all instances of the KPSSVC server is recommended.

Winsage

March 5, 2025

Windows KDC Proxy RCE Vulnerability Let Attackers Control The Server Remotely

A critical remote code execution vulnerability, designated as CVE-2024-43639, has been identified in Microsoft’s Windows Key Distribution Center (KDC) Proxy. This flaw arises from an integer overflow due to a missing validation check for Kerberos response lengths, allowing unauthenticated remote attackers to execute arbitrary code with the privileges of the target service. The vulnerability specifically affects KDC Proxy servers and was addressed in a November 2024 security update by implementing necessary length validation checks. Organizations using remote authentication services reliant on the KDC Proxy, such as RDP Gateway or DirectAccess, are particularly at risk. Immediate patching is advised, and monitoring for potential exploitation attempts is recommended.

Winsage

February 12, 2025

Microsoft takes it easy on February’s Patch Tuesday

Microsoft released a total of 63 patches in February, including six previously released ones. Two vulnerabilities, CVE-2025-21418 (CVSS 7.8) and CVE-2025-21391 (CVSS 7.1), are actively exploited and require local access and authentication for exploitation. CVE-2025-21418 affects the Windows Ancillary Function Driver for Winsock, allowing attackers to gain SYSTEM-level privileges on Windows 10, 11, and various Windows Server versions. CVE-2025-21391 affects Windows Storage, enabling local attackers to delete files under certain conditions. Two publicly known vulnerabilities, CVE-2025-21194 (CVSS 7.1) and CVE-2025-21377 (CVSS 6.5), have not yet been exploited. CVE-2025-21194 exposes PCs to potential hypervisor and secure kernel compromises, while CVE-2025-21377 risks leaking a user's NTLMv2 hash with minimal user interaction. CVE-2025-21198, rated at CVSS 9.0, allows remote code execution in high-performance computing infrastructures, requiring network access to a targeted HPC cluster. Excel users should address five patches rated at 7.8, particularly CVE-2025-21381, which has potential for remote code execution through local attack vectors. As of February 11, administrators must configure the StrongCertificateBindingEnforcement registry key on domain controllers to avoid transitioning to Full Enforcement mode by February 2025. CVE-2025-21177 (CVSS 8.7) has been fully mitigated by Microsoft. Adobe released 45 updates, with 31 addressing vulnerabilities in Adobe Commerce, and critical patches for InDesign and Illustrator. SAP issued 21 patches affecting NetWeaver and addressing cross-site scripting issues. Fortinet released security updates for various products, including a critical authentication bypass vulnerability in FortiOS and FortiProxy (CVSS 9.6).

Winsage

December 11, 2024

December Patch Tuesday arrives bearing 71 gifts

Microsoft released a comprehensive update on Tuesday that includes 71 patches addressing vulnerabilities across ten product families. Among these, 17 vulnerabilities affecting Windows are classified as Critical, with a CVSS base score of 8.1 or higher. Ten of these vulnerabilities are related to Remote Desktop Services. CVE-2024-49138, which affects the Windows Common Log File system driver, is currently exploited in the wild, and Microsoft expects six additional CVEs may be targeted in the next 30 days. The update includes advisory notes on two Edge CVEs and a Defense-in-Depth update for Microsoft Project. The total number of CVEs addressed is 71, with 1 publicly disclosed and 1 exploit detected. The severity breakdown includes 17 Critical and 54 Important vulnerabilities. The impact categories are as follows: 31 for Remote Code Execution, 27 for Elevation of Privilege, 7 for Information Disclosure, 5 for Denial of Service, and 1 for Spoofing. There is 1 CVE with a CVSS base score of 9.0 or greater and 27 with a score of 8.0 or greater. CVE-2024-49112 is highlighted as the only vulnerability this month with a CVSS base score exceeding 9.0, rated at 9.8, affecting all supported versions of Windows 10, 11, and Server versions since 2008. CVE-2024-49138 is an Important-severity elevation of privilege issue impacting all supported client and server versions of Windows. CVE-2024-49117 is a Critical-severity RCE that could enable cross-VM attacks, while CVE-2024-49114 introduces a new vulnerability category termed False File Immutability. Microsoft has addressed a total of 1,015 CVEs through its Patch Tuesday process in 2023, the highest annual count since 2020. December 2023 recorded the lowest patch count in five years, with only 33 patches released. For users of Sophos protections, a detailed table outlines the CVEs and corresponding detection capabilities.

Winsage

December 11, 2024

Microsoft fixes zero-day security flaw in latest Windows update

Microsoft addressed 71 vulnerabilities in its December Patch Tuesday update, including a critical zero-day flaw. Of these, 59 vulnerabilities affect various versions of Windows, including Windows 10, Windows 11, and Windows Server. CVE-2024-49138 is a high-risk buffer overflow issue that allows privilege escalation and could enable full control over affected systems. Microsoft classified 16 Remote Code Execution (RCE) vulnerabilities as critical, with nine related to the Remote Desktop service. CVE-2024-49112 affects the Lightweight Directory Access Protocol (LDAP) and could allow code injection without user login. CVE-2024-49117 affects Hyper-V, allowing code execution from a guest system on the host system. Additionally, eight security vulnerabilities in Microsoft Office were resolved, including three RCE vulnerabilities. CVE-2024-49063 is the first identified security flaw in Microsoft's open-source AI project, Muzic. The next Patch Tuesday is scheduled for January 14, 2025.

Winsage

December 11, 2024

Microsoft closes 2024 with 72 fixes on final Patch Tuesday

Microsoft's Patch Tuesday update addressed 72 vulnerabilities, with CVE-2024-49138 being actively exploited, affecting the Windows Common Log File System Driver and allowing privilege escalation on Windows 10, 11, and Server 2019 and later. The most critical vulnerability, CVE-2024-49112, has a CVSS score of 9.8 but is challenging to exploit, related to the Windows Lightweight Directory Access Protocol (LDAP). Microsoft recommends blocking inbound RPCs from untrusted networks as a workaround. CVE-2024-49093, with a CVSS score of 8.8, poses risks from malicious low-privilege AppContainers. Other significant vulnerabilities include CVE-2024-49088, CVE-2024-49090, and CVE-2024-49114, all related to privilege escalation. Additionally, CVE-2024-49070 and CVE-2024-49122 involve code execution flaws. Adobe released a patch for 167 vulnerabilities, including 91 in Adobe Experience Manager, with one critical flaw. Adobe Connect fixed 22 vulnerabilities, six rated critical, while Adobe Acrobat addressed six vulnerabilities, none exceeding a CVSS score of seven. Adobe Animate had 13 vulnerabilities, all rated 7.8, and InDesign and Substance 3D Modeler each had nine issues, none surpassing a CVSS score of 7.8. Adobe Media Encoder fixed four vulnerabilities, three allowing arbitrary code execution.

Winsage

December 11, 2024

Zero Day Initiative — The December 2024 Security Update Review

In December 2024, Adobe released 16 patches addressing 167 CVEs across various products, including Adobe Experience Manager, Acrobat and Reader, Media Encoder, Illustrator, After Effects, Animate, InDesign, Adobe PDFL SDK, Connect, Substance 3D Sampler, Photoshop, Substance 3D Modeler, Bridge, Premiere Pro, Substance 3D Painter, and FrameMaker. The most significant patch resolved 91 CVEs in Adobe Experience Manager, primarily related to cross-site scripting (XSS) and one critical code execution vulnerability. Other notable patches included 22 CVEs for Connect, several code execution vulnerabilities for Acrobat, and 13 critical-rated code execution bugs for Animate. Additional patches addressed 9 CVEs each for InDesign and Substance 3D Modeler, 4 CVEs for Media Encoder, 3 CVEs for Substance 3D Sampler, and 2 CVEs each for Illustrator and Substance 3D Painter. None of the vulnerabilities were publicly known or under active attack at the time of release. Microsoft's December release included 71 new CVEs affecting Windows and its components, Office, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager, totaling 72 CVEs for the month, the largest since 2017. Among the patches, 16 were rated Critical, 54 Important, and one Moderate. Notably, CVE-2024-49138 is actively being exploited, while CVE-2024-49112 allows remote code execution via LDAP with a CVSS score of 9.8. CVE-2024-49117 permits code execution from a guest VM on Hyper-V, and CVE-2024-49063 involves deserialization vulnerabilities in the Muzic project. Organizations are advised to patch promptly to mitigate risks.

Winsage

December 11, 2024

Microsoft Fixes Zero-Day, Critical RCEs in Patch Tuesday

A Windows zero-day security vulnerability, tracked as CVE-2024-49138 (CVSS 7.8), exists in the Windows Common Log File System (CLFS) Driver, allowing privilege escalation. This vulnerability can be exploited by manipulating log files or corrupting log data, potentially leading to SYSTEM-level privileges on Windows Server. Microsoft’s December 2024 Patch Tuesday update includes 71 patches, bringing the total for the year to 1,020, with 16 classified as critical. Among these, CVE-2024-49112 (CVSS 9.8) is a critical remote code execution (RCE) vulnerability in Windows LDAP, which can compromise Domain Controllers. CVE-2024-49117 (CVSS 8.8) affects Windows Hyper-V, allowing code execution on the host OS from a guest VM. Additionally, CVE-2024-49132 (CVSS 8.1) impacts Windows Remote Desktop Services, enabling RCE through a use-after-free memory condition. Other vulnerabilities include CVE-2024-49093 (CVSS 8.8), an elevation of privilege flaw in Windows Resilient File System (ReFS), and CVE-2024-49063, an RCE issue in the Musik project related to AI-generated music.

Winsage

October 14, 2024

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

The Iranian threat actor known as OilRig is exploiting a patched privilege escalation vulnerability (CVE-2024-30088) in the Windows Kernel as part of a cyber espionage campaign targeting the United Arab Emirates and the Gulf region. OilRig, also referred to as Earth Simnavaz and by other aliases, employs advanced tactics including a backdoor that exploits Microsoft Exchange servers for credential theft. Their recent operations involve a previously undocumented implant for exfiltrating credentials and the use of a web shell for initial access to vulnerable web servers. They utilize the ngrok remote management tool for persistence and movement within networks. The exploitation of the privilege escalation vulnerability allows the delivery of a backdoor called STEALHOOK, which transmits harvested data via the Exchange server. OilRig has also employed a password filter policy DLL (psgfilter.dll) to extract sensitive credentials. This group has a history of targeting critical infrastructure in geopolitically sensitive areas to maintain a persistent presence for further attacks.