Security researchers have uncovered a significant remote code execution vulnerability in Microsoft’s Windows Key Distribution Center (KDC) Proxy that could potentially allow attackers to gain complete control over affected servers. The vulnerability, tracked as CVE-2024-43639, stems from an integer overflow due to a missing check for Kerberos response length in the KDC Proxy service. Microsoft addressed CVE-2024-43639 in their November 2024 security update by implementing proper length validation checks in the KDC Proxy Server service. The flaw exists specifically in the KDC Proxy Server service (KDCSVC), a component that facilitates Kerberos authentication for remote workloads by proxying Kerberos traffic over HTTPS. Detection guidance suggests monitoring TCP port 88 traffic for Kerberos responses with message length prefixes of 0x80000000 (2,147,483,648) bytes or larger, which would indicate suspicious activity potentially related to exploitation of this vulnerability. Security researchers noted that it was somewhat unusual for Microsoft to address the issue in the KDC Proxy rather than fixing the underlying vulnerability in the ASN.1 library, suggesting there may be additional considerations regarding the broader use of this library across the Windows ecosystem. According to detailed analysis from security researchers, the vulnerability arises from improper handling of Kerberos response lengths, creating an exploitable integer overflow condition. This critical security flaw, which was patched in November, enables unauthenticated remote attackers to execute arbitrary code with the privileges of the target service, potentially leading to complete system compromise. The Microsoft Windows KDC Proxy vulnerability was identified by security researchers from Kunlun Lab in collaboration with Cyber KunLun. The core issue lies in the absence of validation checks for the length of Kerberos responses, allowing maliciously crafted responses to trigger memory corruption errors that can be leveraged for code execution. An attacker begins by directing the KDC Proxy to forward a Kerberos request to a server under their control, which then returns a specially crafted Kerberos response with manipulated length values. If patching is not immediately possible, organizations should consider temporarily disabling the KDC Proxy service until updates can be applied, though this may impact remote authentication capabilities for users outside the corporate network. The vulnerability stems from the KpsSocketRecvDataIoCompletion() function in the kpssvc.dll file, which fails to properly verify the length of incoming Kerberos responses before processing them. The exploitation process involves a sophisticated chain of events that target how the KDC Proxy handles Kerberos responses. When remote clients need to authenticate but lack direct network connectivity to domain controllers, the KDC Proxy acts as an intermediary, forwarding authentication requests over HTTPS. The exploitation does not require authentication, making it particularly dangerous as attackers need only network access to the KDC Proxy server to attempt exploitation. The vulnerability highlights ongoing security challenges in authentication services and underscores the importance of prompt patching practices in enterprise environments. The vulnerable component implements the Kerberos KDC Proxy Protocol (KKDCP), which wraps Kerberos requests in HTTP POST requests sent to the /KdcProxy endpoint. When processing responses, the KDC Proxy reads the first four bytes to determine the message length, then attempts to read the corresponding number of bytes. Organizations using remote authentication services that rely on the KDC Proxy are particularly vulnerable. The validation function that normally checks Kerberos responses can be circumvented by setting specific byte values in the response. The vulnerability exclusively affects servers explicitly configured as KDC Proxy servers and does not impact domain controllers.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 04 Mar 2025 18:45:04 +0000