Two weeks ago, for its July 2021 Patch Tuesday, Microsoft released an important security update for the Windows Key Distribution Center, found on Active Directory Domain Controllers. Today, an update to that original update was issued to relieve some of the pain points.

About the vulnerability

An information disclosure vulnerability exists in the way the Windows Key Distribution Service (KDC) communicates with devices that do not comply with section 3.2.1 of the RFC4556 specification.

In this case a weak encryption algorithm or cipher is used. Traffic sent over a network by the vulnerable component could be decrypted and expose information related to a user or service's active session.

Affected Operating Systems

Domain Controllers running on all supported Windows Server versions are vulnerable, including the semi-annual channel (SAC) releases. Updates for these Operating Systems are available to address the issue:

• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server, version 2004
• Windows Server, version 20H2

MITIGATIONS

Microsoft has not identified any mitigating factors for this vulnerability.

About the update

The July 13, 2021 update addresses the vulnerability by blocking devices that initiate Kerberos PKINIT with key-exchange in encryption mode but neither support nor tell the Domain Controller that they support des-ede3-cbc.

Known issues with the initial update

The initial update caused issues. Noncompliant printers, scanners, and multifunction devices did not work when you use smart card authentication (PIV). Devices that are affected when using smart card (PIV) authentication should work as expected when using username and password authentication.

The affected devices are smart card-authenticating printers, scanners, and multifunction devices that don’t support:

1. don't support Diffie-Hellman (DH) for key-exchange during PKINIT Kerberos authentication, or
2. don't advertise support for des-ede3-cbc during the Kerberos AS request.

Per section 3.2.1 of RFC4556, for this key exchange to work, the client has to both support and notify the key distribution center (KDC) of their support for des-ede3-cbc.

About the new update

The July 29, 2021 update temporarily addresses this issue. However, to allow non-RFC4556-compliant devices, you must enable this temporary mitigation using a registry key.

Important
You must have your non-compliant devices updated and compliant or replaced by February 8, 2022. After that, the mitigation stops working.

Use the following line of Windows PowerShell on each Domain Controller to enable the temporary mitigation:

New-ItemProperty –path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc" 
-name Allow3DesFallback -value 1 -PropertyType DWORD –Force

Next steps

The above mitigation allows your organization time to remediate the situation.

If you encounter this issue with your printing or scanning devices, verify that you are using the latest firmware and drivers available for your device. Contact the device manufacturer to ask if a configuration change is required to bring the device into compliance with the hardening change for CVE-2021-33764 or if a compliant update will be available before February 8, 2022.