Hello everyone,


This is Greg Blaum again with a special update regarding a Microsoft OOB (Out-Of-Band) Hotfix that was released on November 18th, 2014.

 

If you recall from our November 2014 Microsoft Patch Tuesday analysis, one of the patches that Microsoft mentioned in their initial advance notification for November was MS14-068. I said at the time that administrators should keep an eye out for this one (and MS14-075 as well) as it may be released out-of-band. Well, it has, and here’s the information on MS14-068.

 

The bar for Microsoft to release a hotfix as an Out-Of-Band release is significantly higher than a hotfix that is released through the normal Patch Tuesday cadence. There’s significant churn that happens for an Out-Of-Band release, and customers have to quickly assess the OOB hotfix and then get that deployed outside of their normal patch window. So when you see an Out-Of-Band release come out of Microsoft, you had better assume it is to address something pretty nasty.

 

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

McAfee Coverage

MS14-068

3011780

Vulnerability in Kerberos Could Allow Elevation of Privilege

Critical

Elevation of Privilege

MTIS14-180

Covered Products:

  • Vulnerability Mgr (11/18)

Under Analysis:

  • DAT
  • Host IPS
  • NSP
  • Web Gateway
  • Policy Auditor SCAP
  • MNAC 2.x
  • Firewall Enterprise

 

MS14-068 (CVE-2014-6324)

 

This Critical update addresses a vulnerability in Microsoft Windows Kerberos KDC. This one is particularly nasty because it allows an attacker to elevate their account privileges from domain user to domain administrator. Once an attacker has domain administrator rights, they can compromise any computer they want inside the corporate domain…and YES, this includes domain controllers. This is definitely in the realm of an “inside” attack, as the user would need to already be authenticated to the domain. But the potential of a standard user getting domain administrator credentials by exploiting this vulnerability is something that will likely keep every Windows Active Directory administrator and Security Incident Response Team awake at night until they get this patch deployed.

 

It affects all supported editions of Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2. Microsoft is also releasing a fix for the workstation versions of Windows: Vista, 7, 8, and 8.1. This vulnerability is also likely in Windows 10 Technical Preview and Windows Server Technical Preview, so run Microsoft Windows Update on those platforms if you’re testing them.

 

A NOTE ON MS14-066:

 

Microsoft re-released the patch for MS14-066 on November 18th, 2014 as well. There were a small number of customers that reported issues to Microsoft with the new TLS cipher suites that were included in MS14-066. Microsoft is recommending any customers that applied the 2992611 update for MS14-066 prior to the November 18th reoffering should reapply the update.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

 

 

 

Get the update for MS14-068 deployed ASAP and stay safe!

-Greg