Security Thoughts: Update for Windows Authentication Methods (KB3178465, MS16-101, CVE-2016-3237, CVE-2016-3300, Important)

Yesterday, during its August Patch Tuesday, Microsoft released security update KB3178465 for Windows Authentication Methods, among other security-related updates.

This update addresses two vulnerabilities in Microsofts implementation of its authentication methods in Active Directory scenarios: CVE-2016-3237 and CVE-2016-3300.

 

About the vulnerabilities

Microsoft Kerberos Elevation of Privilege Vulnerability (CVE-2016-3237)

A security feature bypass vulnerability exists in Windows when Kerberos improperly handles a password change request and falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. An attacker who successfully exploited this vulnerability could use it to bypass Kerberos authentication. To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between an Active Directory Domain Controller and the target machine. The update addresses this vulnerability by preventing Kerberos from falling back to NTLM as the default authentication protocol during a domain account password change.

The vulnerability was responsibly disclosed to Microsoft by Nabeel Ahmed of Dimension Data.

The following supported Microsoft Operating Systems are susceptible to this vulnerability:

  • Windows Vista with Service Pack 2 x86
  • Windows Vista with Service Pack 2 x64
  • Windows Server 2008 with Service Pack 2 x86
  • Windows Server 2008 with Service Pack 2 x64
  • Windows Server 2008 with Service Pack 2 IA64
  • Windows 7 with Service Pack 1 x86
  • Windows 7 with Service Pack 1 x64
  • Windows Server 2008 R2 with Service Pack 1 x64
  • Windows Server 2008 R2 with Service Pack 1 IA64
  • Windows 8.1 x86
  • Windows 8.1×64
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows 10 x86
  • Windows 10 x64
  • Windows 10 version 1511 x86
  • Windows 10 version 1511 x64
  • Windows 10 version 1607 x86
  • Windows 10 version 1607 x64

Both Server Core and Full Installation of the above Windows Server Operating Systems are susceptible to the vulnerability.

 

Microsoft NetLogon Elevation of Privilege Vulnerability (CVE-2016-3300)

An elevation of privilege vulnerability exists when Windows Netlogon improperly establishes a secure communications channel to a domain controller. An attacker who successfully exploited the vulnerability could run a specially crafted application on a domain-joined system. To exploit the vulnerability, an attacker would require access to a domain-joined machine that points to an Active Directory Domain Controller running either Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels.

The following supported Microsoft Operating Systems are susceptible to this vulnerability:

  • Windows 8.1 x86
  • Windows 8.1×64
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1

Both Server Core and Full Installation of the above Windows Server Operating Systems are susceptible to the vulnerability.

 

About the update

Update KB3167679 addresses the vulnerability described as CVE-2016-3237, except on Windows 10, where you’d need to install KB3176492, KB3176493 or KB3176495 on Windows 10, Windows 10 version 1511 and Windows 10 version 1607, respectively).

Update KB3177108 addresses the vulnerability described as CVE-2016-3300.
On Windows Server 2012, however, KB3177108 fixes both vulnerabilities.

A system restart is required after you apply this security update.

Non-security-related fixes that are included in this security update

This security update also fixes a non-security-related issue in scenarios with domain-joined Scale Out File Server (SoFS) on domainless clusters: When an SMB client that is running either Windows 8.1 or Windows Server 2012 R2 connects to a node that is down, authentication fails.

Mitigating factors

The vulnerability described as CVE-2016-3237 cannot be exploited when BitLocker is enabled with a PIN or USB key and the machine is turned off.

Microsoft has not identified any mitigating factors for the vulnerability described as CVE-2016-3300.

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities.

 

Known issues

If you install a language pack after you install this update, you must reinstall this update.

Currently, the ability to change the passwords of disabled or locked-out accounts is supported only by NTLM. It is not supported by the Kerberos protocol. This security update prevents the Negotiate process from falling back to NTLM for password change operations when Kerberos authentication fails. Therefore, you will no longer be able to change the password for disabled or locked-out accounts after you install this security update. It is not secure to change disabled or locked-out user account passwords by using NTLM. This is why the ability of Negotiate to fall back to NTLM is disabled by this security update.

Note:
Even though you can no longer change the password for disabled or locked accounts, you can set the password by using Active Directory-based tools.

 

Call to action

I urge you to install the necessary security updates (KB3167679, KB3176492, KB3176493, KB3176495 and/or KB3177108 on systems in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to systems in the production environment.

Additionally, any support and/or incident response practices involving resetting passwords for disabled or locked-out accounts should be changed to use Active Directory-based tools.

Further reading

Microsoft Security Bulletin Summary for August 2016
August Patch Tuesday 2016
Microsoft Patch Tuesday – August 2016

One Response to Security Thoughts: Update for Windows Authentication Methods (KB3178465, MS16-101, CVE-2016-3237, CVE-2016-3300, Important)

  1.  

    I was trying change the password of an active user, user is not disable nor lockout account
    even though is fail to change the password getting error 0x800704F1 “the system cannot contact a domain controller to service the authentication request”
    Note: no password polices are configured

    Installed on DC(2012 R2)
    MS16-097:3178034
    MS16-098:3177725
    MS16-095:3175443
    MS16-101:3167679/3177108

    Client Machine:win 8.1
    MS16-101:3167679 and 3177108

    Do have any suggestion for this? Please let me know.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.