Threat Brief: Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049 AKA Bronze Bit)
< 1 min read
-
π Profile Icon
-
π Published Icon
Published:March 3, 2021 - π Tags IconCategories:
- π Tags Icon
Executive Summary
A recent vulnerability in the Kerberos authentication protocol, CVE-2020-17049 (dubbed Bronze Bit), has been disclosed by Microsoft. The vulnerability is in the way that the Key Distribution Center (KDC) handles service tickets and validates whether delegation is allowed.
In the attack, as detailed in the Palo Alto Networks Security Operations blog, βProtecting Against the Bronze Bit Vulnerability with Cortex XDR,β the attacker tampers with the Kerberos service ticket, which allows the attacker to authenticate to the target as any user, including sensitive accounts and members of the βProtected Usersβ group.
Mitigation Actions for CVE-2020-17049
The vulnerability was patched by Microsoft, and the patch will be gradually deployed with upcoming Windows updates. Microsoft aims to enforce using the patch only on or after May 11, 2021.
Conclusion
Palo Alto Network customers running Cortex XDR version 7.3 with the latest content update are protected from βPass-the-Ticketβ attacks using the standard Windows API. Customers running Cortex XDR Pro with analytics enabled will get alerted on related suspicious activities and specifically on a delegation from or to a protected user.
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.
