Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Out of Band Update Resolves Kerberos Issue

Published: 2021-11-15
Last Updated: 2021-11-15 16:05:24 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

Since Patch Tuesday, we've been tracking a Kerboros issue in November's patch bundle that affected authentication in several deployment scenarios:

  • Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
  • Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
  • Active Directory Federated Services (ADFS)
  • Microsoft SQL Server
  • Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
  • Intermediate devices including Load Balancers performing delegated authentication

This was fixed out of band yesterday (November 14, 2021).  If you have applied November's update and are affected, you'll want to apply the "November-take-two" update on any affected servers.

The full issue report is located here: https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019

The note on yesterday's fix being released is here: https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9

If you haven't applied November's updates yet, you may have dodged a bullet this month, but you likely want to revisit your update cadence - in most other months you would be more vulnerable than safe at this point (the Monday after Patch Tuesday).

 

===============
Rob VandenBrink
rob <at> coherentsecurity.com

Keywords:
0 comment(s)
Diary Archives