Summary
The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with the Kerberos PAC Validation Protocol. The Privilege Attribute Certificate (PAC) is an extension to Kerberos service tickets. It contains information about the authenticating user and their privileges. This update fixes a vulnerability where the user of the process can spoof the signature to bypass PAC signature validation security checks added in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.
To learn more about these vulnerabilities, visit CVE-2024-26248 and CVE-2024-29056.
Take Action
IMPORTANT Step 1 to install the update released on or after April 9, 2024 will NOT fully address the security issues in CVE-2024-26248 and CVE-2024-29056 by default. To fully mitigate the security issue for all devices, you must move to Enforced mode (described in Step 3) once your environment is fully updated.
To help protect your environment and prevent outages, we recommend the following steps:
-
UPDATE: Windows domain controllers and Windows clients must be updated with a Windows security update released on or after April 9, 2024.
-
MONITOR: Audit events will be visible in Compatibility mode to identify devices not updated.
-
ENABLE: After Enforcement mode is fully enabled in your environment, the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.
Background
When a Windows workstation performs PAC Validation on an inbound Kerberos authentication flow, it performs a new request (Network Ticket Logon) to validate the service ticket. The request is initially forwarded to a domain controller (DC) of the Workstations domain through Netlogon.
If the service account and the computer account belong to different domains, the request is carried across the necessary trusts through Netlogon until it reaches the services domain; otherwise, the DC in the computers accounts domain performs the validation. The DC then calls the Key Distribution Center (KDC) to validate the PAC signatures of the service ticket and sends user and device information back to the workstation.
If the request and reply are forwarded across a trust (in the case where the service account and workstation account belong to different domains), each DC across the trust filters authorization data that pertains to it.
Timeline of changes
Updates are released as follows. Note that this release schedule might be revised as needed.
The initial deployment phase starts with the updates released on April 9, 2024. This update adds new behavior that prevents the elevation of privilege vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 but does not enforce it unless both Windows domain controllers and Windows clients in the environment are updated.
To enable the new behavior and to mitigate the vulnerabilities, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Audit Events will be logged to help identify devices not updated.
Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default.
The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.
The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.
Potential issues and mitigations
There are potential issues that may arise, including PAC validation and cross-forest filtering failures. The April 9, 2024, security update includes fallback logic and registry settings to help mitigate these issues
Registry settings
This security update is offered to Windows devices (including domain controllers). The following registry keys controlling the behavior only need to be deployed to the Kerberos server that accepts inbound Kerberos authentication and performing PAC Validation.
|
Registry Subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters |
|
|
Value |
PacSignatureValidationLevel |
|
|
Data Type |
REG_DWORD |
|
|
Data |
2 |
Default (Compatibility with unpatched environment) |
|
3 |
Enforce |
|
|
Restart Required? |
No |
|
|
Registry Subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters |
|
|
Value |
CrossDomainFilteringLevel |
|
|
Data Type |
REG_DWORD |
|
|
Data |
2 |
Default (Compatibility with unpatched environment) |
|
4 |
Enforce |
|
|
Restart Required? |
No |
|
This registry key can be deployed to both Windows servers accepting inbound Kerberos authentication, as well as any Windows Domain Controller that is validating the new Network Ticket Logon flow along the way.
|
Registry Subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters |
|
|
Value |
AuditKerberosTicketLogonEvents |
|
|
Data Type |
REG_DWORD |
|
|
Data |
1 |
Default – log Critical events |
|
2 |
Log All Netlogon Events |
|
|
0 |
Do not log Netlogon Events |
|
|
Restart Required? |
No |
|
Event logs
The following Kerberos audit events will be generated on the Kerberos Server that accepts inbound Kerberos authentication. This Kerberos server will be doing PAC Validation, which uses the new Network Ticket Logon Flow.
|
Event Log |
System |
|
Event Type |
Informational |
|
Event Source |
Security-Kerberos |
|
Event ID |
21 |
|
Event Text |
During Kerberos Network Ticket Logon, the service ticket for Account <Account> from Domain <Domain> had the following actions done to it by DC <Domain Controller>. For more information, please visit https://go.microsoft.com/fwlink/?linkid=2262558. |
This event is shown when a Domain Controller took a non-fatal action during a Network Ticket Logon flow. As of now, the following actions are logged:
-
User SIDs were filtered.
-
Device SIDs were filtered.
-
Compound identity was removed due to SID filtering disallowing the device's identity.
-
Compound identity was removed due to SID filtering disallowing the device's domain name.
|
Event Log |
System |
|
Event Type |
Error |
|
Event Source |
Security-Kerberos |
|
Event ID |
22 |
|
Event Text |
During Kerberos Network Ticket Logon, the service ticket for Account <Account> from Domain <Domain> was denied by DC <DC> due to the reasons below. For more information, please visit https://go.microsoft.com/fwlink/?linkid=2262558. |
This event is shown when a Domain Controller denied the Network Ticket Logon request for the reasons shown in the event.
|
Event Log |
System |
|
Event Type |
Warning or Error |
|
Event Source |
Security-Kerberos |
|
Event ID |
23 |
|
Event Text |
During Kerberos Network Ticket Logon, the service ticket for Account <account_name> from Domain <domain_name> could not be forwarded to a Domain Controller to service the request. For more information, please visit https://go.microsoft.com/fwlink/?linkid=2262558. |
-
This event is shown as a warning if PacSignatureValidationLevel AND CrossDomainFilteringLevel are not set to Enforce or stricter. When logged as a warning, the event indicates that the Network Ticket Logon flows contacted a domain controller or equivalent device that did not understand the new mechanism. The authentication was allowed to fallback to previous behavior.
-
This event shows as an error if PacSignatureValidationLevel OR CrossDomainFilteringLevel is set to Enforce or stricter. This event as “error” indicates that the Network Ticket Logon flow contacted a domain controller or equivalent device that did not understand the new mechanism. The authentication was denied, and could not fallback to previous behavior.
|
Event Log |
System |
|
Event Type |
Error |
|
Event Source |
Netlogon |
|
Event ID |
5842 |
|
Event Text |
The Netlogon service encountered an unexpected error when processing a Kerberos Network Ticket Logon request. For more information, please visit https://go.microsoft.com/fwlink/?linkid=2261497. Service Ticket Account: <Account> Service Ticket Domain: <Domain> Workstation Name: <Machine Name> Status: <Error Code> |
This event is generated whenever Netlogon encountered an unexpected error during a Network Ticket logon request. This event is logged when AuditKerberosTicketLogonEvents is set to (1) or higher.
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Netlogon |
|
Event ID |
5843 |
|
Event Text |
The Netlogon service failed to forward a Kerberos Network Ticket Logon request to the Domain Controller <DC>. For more information, please visit https://go.microsoft.com/fwlink/?linkid=2261497. Service Ticket Account: <Account> Service Ticket Domain: <Domain> Workstation Name: <Machine Name> |
This event is generated whenever Netlogon could not complete the Network Ticket Logon because a Domain Controller did not understand the changes. Because of limitations in the Netlogon protocol, the Netlogon client is unable to determine whether the Domain Controller that the Netlogon client is talking to directly is the one that does not understand the changes, or whether it is a Domain Controller along the forwarding chain that does not understand the changes.
-
If the Service Ticket Domain is the same as the machine account’s domain, it is likely that the Domain Controller in the event log does not understand Network Ticket logon flow.
-
If the Service Ticket Domain is different from the machine account’s domain, one of the domain controller along the way from the Machine Account’s Domain to the Service Account’s Domain did not understand the Network Ticket Logon flow
This event is off-by-default. Microsoft recommends that users first update their entire fleet before turning the event on.
This event is logged when AuditKerberosTicketLogonEvents is set to (2).
Frequently Asked Questions (FAQ)
A Domain Controller that is not updated will not recognize this new request structure. This will cause the security check to fail. In compatibility mode, the old request structure will be used. This scenario is still vulnerable to CVE-2024-26248 and CVE-2024-29056.
Yes. This is because the new Network Ticket Logon flow may have to be routed across domains to reach the domain of the service account.
PAC Validation may be skipped in certain circumstances, including, but not limited to, the following scenarios:
-
If the service has TCB privilege. Generally, services running under the context of the SYSTEM account (such as SMB File Shares, or LDAP servers) have this privilege.
-
If the service is run from Task Scheduler.
Otherwise, PAC Validation is performed on all inbound Kerberos Authentication Flows.
These CVEs involve a Local Elevation of Privilege where a malicious or compromised service account running on the Windows Workstation attempts to elevate their privilege to gain local Administration rights. This means that only the Windows Workstation accepting inbound Kerberos Authentication is affected.
