Security News > 2020 > December > Microsoft fixes new Windows Kerberos security bug in staged rollout
Microsoft has issued security updates to address a Kerberos security feature bypass vulnerability impacting multiple Windows Server versions in a two-phase staged rollout.
The vulnerability impacts only Windows server platforms from Windows Server 2012 up to the latest version Windows Server, version 20H2. Microsoft's security advisory says that there is no evidence of active exploitation of this security bug in the wild or of publicly available CVE-2020-16996 exploit code.
The CVE-2020-17049 security updates caused Kerberos authentication problems on patched enterprise domain controllers including authentication issues when using S4U scenarios and cross-realm referrals failures on Windows and non-Windows devices for Kerberos referral tickets.
One week after the release of the security updates, Microsoft released out-of-band optional updates to fix the Kerberos authentication issues on all impacted Windows versions.
To comprehensively address CVE-2020-17049, Microsoft has released new CVE-2020-17048 security updates on December 2020 Patch Tuesday with "Fixes for all known issues originally introduced by the November 10, 2020 security updates."
News URL
Related news
- Microsoft: January Windows security updates break audio playback (source)
- Microsoft shares workaround for Windows security update issues (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft ends support for Office apps on Windows 10 in October (source)
- Microsoft expands testing of Windows 11 admin protection feature (source)
- Microsoft starts force upgrading Windows 11 22H2, 23H3 devices (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft removes Assassin’s Creed Windows 11 upgrade blocks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-10 | CVE-2020-16996 | Unspecified vulnerability in Microsoft products Kerberos Security Feature Bypass Vulnerability | 0.0 |
| 2020-11-11 | CVE-2020-17048 | Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge Chakra Scripting Engine Memory Corruption Vulnerability | 0.0 |
| 2020-11-11 | CVE-2020-17049 | Incorrect Authorization vulnerability in multiple products A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD. | 0.0 |