|Check Point Reference:||CPAI-2011-010|
|Date Published:||8 Feb 2011|
|Last Updated:||9 Jul 2017|
|Protection Provided by:||
|Who is Vulnerable?|
|Vulnerability Description||A spoofing vulnerability has been reported in implementations of Kerberos on Windows 7 and Windows Server 2008 R2. Kerberos is a protocol used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service by using shared secret keys. A remote attacker could exploit this issue to impersonate a legitimate users' credentials or to forge all of the Kerberos traffic in a compromised session.The vulnerability is due to an error in Windows that fails to correctly enforce the stronger default encryption standards included in Windows 7 and Windows Server 2008 R2, and as a result it is possible for a man in the middle attacker to force a downgrade in Kerberos communication between a client and server to a weaker encryption standard than negotiated originally. An attacker would have to be in-between the target client and server in a "man-in the-middle" attack scenario to intercept the communications and degrade the default encryption standard to DES. Once the attacker degrades the default encryption standard to DES, he could read and forge all of the Kerberos traffic in that session. An attacker could use this capability to impersonate the user who was authenticating during that Kerberos session.|
This protection will detect and block Kerberos requests that are not enforcing the stronger default encryption standards included in Windows 7 and Windows Server 2008 R2.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: Windows SMB Protection Violation.
Attack Information: Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013)