Threat Encyclopedia

Microsoft: Kerberos Security Feature Bypass Vulnerability


The vulnerabilities in the following products could cause the system to become vulnerable to malicious security attack: Windows Server, version 20H2 (Server Core Installation),Windows Server, version 2004 (Server Core installation),Windows Server, version 1903 (Server Core installation),Windows Server 2016,Windows Server 2012,Windows Server, version 1909 (Server Core installation),Windows Server 2019


Are there any additional steps I need to take during deployment of this update? Yes, for complex domain environments a registry key has been provided to allow for deployment across domains before fully enabling the fix. In a complex forest, where Kerberos tickets may travel across multiple domains, we recommend following steps:Set the registry key to 0 (disabled). Complete the deployment to all DCs (and Read-Only DCs) in your forest. When deployment is complete, set the registry key to 1. A later release will remove this registry key and make ticket signatures required.

Affected Products

Windows Server
version 20H2 (Server Core Installation)
Windows Server
version 2004 (Server Core installation)
Windows Server
version 1903 (Server Core installation)
Windows Server 2016
Windows Server 2012
Windows Server
version 1909 (Server Core installation)
Windows Server 2019

CVE References