Security News > 2020 > December > Microsoft fixes new Windows Kerberos security bug in staged rollout
Microsoft has issued security updates to address a Kerberos security feature bypass vulnerability impacting multiple Windows Server versions in a two-phase staged rollout.
The vulnerability impacts only Windows server platforms from Windows Server 2012 up to the latest version Windows Server, version 20H2. Microsoft's security advisory says that there is no evidence of active exploitation of this security bug in the wild or of publicly available CVE-2020-16996 exploit code.
The CVE-2020-17049 security updates caused Kerberos authentication problems on patched enterprise domain controllers including authentication issues when using S4U scenarios and cross-realm referrals failures on Windows and non-Windows devices for Kerberos referral tickets.
One week after the release of the security updates, Microsoft released out-of-band optional updates to fix the Kerberos authentication issues on all impacted Windows versions.
To comprehensively address CVE-2020-17049, Microsoft has released new CVE-2020-17048 security updates on December 2020 Patch Tuesday with "Fixes for all known issues originally introduced by the November 10, 2020 security updates."
News URL
Related news
- Microsoft is killing the Windows Paint 3D app after 8 years (source)
- Windows 10 KB5041580 update released with 14 fixes, security updates (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others (source)
- Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others (source)
- Microsoft retires Windows updates causing 0x80070643 errors (source)
- Microsoft disables BitLocker security fix, advises manual mitigation (source)
- Microsoft removes FAT32 partition size limit in Windows 11 (source)
- August Windows security update breaks dual boot on Linux systems (source)
- Microsoft to rollout Windows Recall to Insiders in October (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-10 | CVE-2020-16996 | Unspecified vulnerability in Microsoft products Kerberos Security Feature Bypass Vulnerability | 6.5 |
| 2020-11-11 | CVE-2020-17048 | Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge Chakra Scripting Engine Memory Corruption Vulnerability | 4.2 |
| 2020-11-11 | CVE-2020-17049 | Incorrect Authorization vulnerability in multiple products A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD. | 6.6 |