Microsoft recently published a support article about the CVE-2024-26248 and CVE-2024-29056 mitigation:
The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with the Kerberos PAC Validation Protocol. The Privilege Attribute Certificate (PAC) is an extension to Kerberos service tickets. It contains information about the authenticating user and their privileges. This update fixes a vulnerability where the user of the process can spoof the signature to bypass PAC signature validation security checks added in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.
After you installed the April 9, 2024 fix KB5020805, the issues related to CVE-2024-26248 and CVE-2024-29056 are not fully addressed. Microsoft Highlighted this in the support article!
Here is a quick Timeline:
- April 9, 2024: Initial Deployment Phase – Compatibility Mode
- October 15, 2024: Enforced by Default Phase
- April 8, 2025: Enforcement Phase
We did a lot of tests, and we found no real issues. All Kerberos related services worked as expected. Therefore, why wait until Microsoft enforces the complete mitigation?
Here is a quick Ansible Playbook to apply the mitigation today:
---
# vi: filetype=yaml
# vim: filetype=yaml
# https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1
# https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782
# https://support.microsoft.com/help/5020805
# https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248
# https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056
- name: "Manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056"
hosts: all
gather_facts: true
ignore_errors: false
ignore_unreachable: false
debugger: never
tasks:
- name: "Ensure PacSignatureValidationLevel is Enforce"
when: ansible_facts['os_family'] == "Windows"
ansible.windows.win_regedit:
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters'
name: "PacSignatureValidationLevel"
data: 3
type: dword
- name: "Ensure CrossDomainFilteringLevel is Enforce"
when: ansible_facts['os_family'] == "Windows"
ansible.windows.win_regedit:
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters'
name: "CrossDomainFilteringLevel"
data: 4
type: dword
- name: "Ensure AuditKerberosTicketLogonEvents is to log All Netlogon Events (3)"
when: ansible_facts['os_family'] == "Windows"
ansible.windows.win_regedit:
path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters'
name: "AuditKerberosTicketLogonEvents"
data: 3
type: dword
Please read the support article carefully! You might want to change the playbook above to the following settings first:
- PacSignatureValidationLevel =
2(Compatibility with unpatched environment) - CrossDomainFilteringLevel =
2(Compatibility with unpatched environment)
We recommend, to set the AuditKerberosTicketLogonEvents to 2 anyway.
Then you should monitor the Eventlogs for the following ID’s:
- ID:
21- Event Source: Security-Kerberos. This event is shown when a Domain Controller took a non-fatal action during a Network Ticket Logon flow. - ID:
22- Event Source: Security-Kerberos. This event is shown when a Domain Controller denied the Network Ticket Logon request for the reasons shown in the event. 23- Event Source: Security-Kerberos. During Kerberos Network Ticket Logon, the service ticket for Account XYZ (Where XYZ is the account name) from Domain XYZ (Where XYZ is the domain name) could not be forwarded to a Domain Controller to service the request.- ID:
5842- Event Source: Netlogon. The Netlogon service encountered an unexpected error when processing a Kerberos Network Ticket Logon request. - ID:
5842- Event Source: Netlogon. The Netlogon service failed to forward a Kerberos Network Ticket Logon request to the Domain Controller XYZ (Where XYZ is the DC name).
If you are sure that everything works as expected and you will not see an increased number of the Eventlog entries mentioned above, you can enforce the settings as we did.
To learn more about these vulnerabilities, visit CVE-2024-26248 and CVE-2024-29056.