Reference: CERT-EU Security Advisory 2014-253 Title: Microsoft Security Bulletin MS14-068 - Critical Vulnerability in Kerberos Could Allow Elevation of Privileges (MS KB 3011780) Version history: 18.11.2014 Initial publication. Dear Colleagues, Please find below details regarding a critical vulnerability in Kerberos that could allow elevation of privileges in Microsoft Windows environment. Details: The vulnerability in Microsoft Windows Kerberos KDC could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials. Microsoft is providing a security update to patch this vulnerability. This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information about this update, see Microsoft Knowledge Base Article 3011780 [2] and Microsoft Bulletin MS14-068 [1] and CERT-EU Security Advisory 2014-252 [7]. According to a Microsoft blog post [6], "The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain.=E2=80=9D [5] Recommendation: Recommendation is to apply the provided update immediately [3],[4]. References: [1] https://technet.microsoft.com/library/security/MS14-068 [2] https://support.microsoft.com/kb/3011780 [3] http://blogs.technet.com/b/msrc/archive/2014/11/18/out-of-band-release-for-= security-bulletin-ms14-068.aspx [4] http://krebsonsecurity.com/2014/11/microsoft-releases-emergency-security-up= date/ [5] http://www.eweek.com/security/microsoft-issues-emergency-patch-for-kerberos= -bug.html [6] http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-ab= out-cve-2014-6324.aspx [7] CERT-EU Security Advisory 2014-252 Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html