New vulnerability in Domain Controllers makes credential theft in AD a “piece of cake”

By Roy, on May 4th, 2016

A new patch released yesterday by Microsoft for Active directory Domain Controller servers revealed a critical vulnerability- CVE-2014-6324.  


The vulnerability can cause a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. “CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).”Which means every user can easily perform a credential theft attack.  


The vulnerability is classified as very critical for Domain Controllers running on Windows 2008R2 and below. The credential theft is relevant not only to Active Directory but to every windows machine.  


Microsoft recommendation for remediation is to deploy the patch and recreate your domain: “The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately.” The bottom line is, that in order to prevent credential theft attacks organizations must deploy the patch and rebuild the domain.  


Well, deploying a patch is one thing but rebuilding a domain requires a lot of time and effort. if you are using System Center in the network we can help here.  


CHS AD for SCOM provides real time hardening and blocking of any unauthorized data approaches and changes.  Using CHS AD creates a new authorization hierarchy, therefore only authorized CHS admins can make changes to domain controllers. in the case of CVE-2014-6324 that means that if you decided to deploy the patch (or not) any  approach to the vulnerability will be blocked in real time and an alert will be sent.


If you already use SCOM it is just deploying a simple MP and your Domain Controllers are secure. Contact us