Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Kerberos Implementation Spoofing Elevation of Privilege Vulnerability (MS11-013)

Subscribe

Check Point Reference: CPAI-2011-010
Date Published:
Severity:
Source: Microsoft Security Bulletin MS11-013
Industry Reference(s): CVE-2011-0091
Protection Provided by: Security Gateway
  • R75
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 (Itanium)
Vulnerability Description
A spoofing vulnerability has been reported in implementations of Kerberos on Windows 7 and Windows Server 2008 R2. Kerberos is a protocol used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service by using shared secret keys. A remote attacker could exploit this issue to impersonate a legitimate users' credentials or to forge all of the Kerberos traffic in a compromised session.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS11-013 
Vulnerability Details
The vulnerability is due to an error in Windows that fails to correctly enforce the stronger default encryption standards included in Windows 7 and Windows Server 2008 R2, and as a result it is possible for a man in the middle attacker to force a downgrade in Kerberos communication between a client and server to a weaker encryption standard than negotiated originally. An attacker would have to be in-between the target client and server in a "man-in the-middle" attack scenario to intercept the communications and degrade the default encryption standard to DES. Once the attacker degrades the default encryption standard to DES, he could read and forge all of the Kerberos traffic in that session. An attacker could use this capability to impersonate the user who was authenticating during that Kerberos session.

Protection Overview
This protection will detect and block Kerberos requests that are not enforcing the stronger default encryption standards included in Windows 7 and Windows Server 2008 R2. 

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: Windows Kerberos Protection Violation
Attack Information: Microsoft Kerberos implementation spoofing elevation of privilege (MS11-013)

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: Windows Kerberos Protection Violation
Attack Information: Microsoft Kerberos implementation spoofing elevation of privilege (MS11-013)

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence Microsoft Networks Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: Windows Kerberos Protection Violation
Attack Information: Microsoft Kerberos implementation spoofing elevation of privilege (MS11-013)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > Kerberos, and select the Kerberos Protocol Compliance protection group.
3. Click Kerberos Client Request Without Acceptable Encryption Type (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Kerberos Protocol Compliance Backend
Description: Kerberos Client Request Without Acceptable Encryption Type