Kerberos Bronze Bit Vulnerability
Vulnerability background
The Kerberos Bronze Bit (CVE-2020-17049) vulnerability is a Kerberos security function bypass vulnerability discovered by Jake Karnes, a security researcher at the foreign security company Netspi. The vulnerability exists because of a security feature bypass vulnerability in the way the KDC determines whether a Kerberos service ticket can be used for constrained delegation via Kerberos. Exploiting this vulnerability, a compromised service configured to use constrained delegation could tamper with a service ticket that is invalid for delegation, thereby forcing the KDC to accept it.
The attack enabled by this vulnerability is an extension of other known attacks caused by Kerberos delegation. The vulnerability bypasses the following two mitigations for existing attack paths, increasing their effectiveness and general functionality.
- Bypassing the users in the Protecd Users group and setting the security measures of "sensitive accounts, cannot be delegated", these users can also be delegated.
- Bypassing the "Use Kerberos Only" option when setting up constrained delegation, protocol conversion cannot be performed.
Vulnerability principle
Let's first look at how the KDC verifies the ST requested through S4u2Self in the process of constrained delegation and resource-based constrained delegation verification. The verification process is shown in the figure. The KDC will first check the forwardable flag of the ST requested through S4u2Self bit:
1) If it is 0, that is, it cannot be forwarded, it will verify whether it is an RBCD delegation
-
If not an RBCD delegate, no ticket is returned
-
If it is RBCD delegation, then check whether the delegated user is set to be unable to be delegated
-
- If set, no ticket is returned
-
- If not set, return ticket<