Micropatches for Kerberos Elevation of Privilege (CVE-2022-33647, CVE-2022-33679)
September 2022 Windows Updates brought a fix for an elevation of privilege vulnerability in Kerberos protocol, discovered by James Forshaw of Google Project Zero. James published a detailed analysis, and a POC was subsequently added to their Rubeus tool.
Microsoft assigned James’ finding two separate CVE IDs, CVE-2022-33647 and CVE-2022-33679, but these really both have the same root cause, namely the fact that Kerberos supported two weak encryption types: RC4-MD4 (type -128) and RC4-HMAC-OLD (type -133).
James demonstrated that downgrading encryption to RC4-MD4 can allow an attacker to extract the Ticket Granting Ticket (TGT) key and use it for requesting a new TGT for the targeted user, which can be used for launching any code on the domain controller as said user.
Microsoft removed support for both weak encryption types from the Kerberos code. Our micropatch, written only for Windows Server 2008 R2 (the only server that didn’t get Microsoft’s patch) is logically equivalent to Microsoft’s:..
This micropatch has already been distributed to all online Windows Server 2008 R2 computers running 0patch Agent with PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch..
