CVE-2020-17049 Overview
A security feature bypass vulnerability exists in the way the Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). This vulnerability allows attackers with access to a compromised service configured to use KCD to tamper with service tickets that are not valid for delegation, forcing the KDC to accept them improperly.
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
Critical Impact
Attackers exploiting this vulnerability can bypass Kerberos security controls to impersonate users and access resources they should not be authorized to reach, potentially leading to full domain compromise in Active Directory environments.
Affected Products
- Microsoft Windows Server 2012 (including R2)
- Microsoft Windows Server 2016 (including versions 1903, 1909, 2004, 20H2)
- Microsoft Windows Server 2019
- Samba (multiple versions)
Discovery Timeline
- 2020-11-11 - CVE-2020-17049 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-17049
Vulnerability Analysis
This vulnerability targets the Kerberos Constrained Delegation (KCD) mechanism in Microsoft Windows Server environments. KCD is designed to allow services to obtain service tickets on behalf of users to access other services, while constraining which services can be accessed through delegation. The flaw lies in how the Key Distribution Center validates service tickets during the delegation process.
The vulnerability enables an attacker who has already compromised a service account configured with constrained delegation to manipulate service tickets. Specifically, the KDC fails to properly validate whether a service ticket should be allowed for delegation purposes. This improper authorization check (CWE-863) allows attackers to force the KDC to accept tampered tickets that should have been rejected.
Root Cause
The root cause is an improper authorization vulnerability (CWE-863) in the KDC's validation logic. When a service attempts to use a ticket for constrained delegation, the KDC should verify that the ticket is valid for delegation purposes. However, due to insufficient validation, the KDC can be tricked into accepting tickets that have been tampered with or were never intended for delegation use. This represents a fundamental flaw in the security boundary enforcement between service-to-service authentication in Kerberos.
Attack Vector
The attack requires network access and high privileges, specifically requiring the attacker to have already compromised a service account that is configured to use Kerberos Constrained Delegation. The attack unfolds as follows:
- The attacker first compromises a service account that has KCD permissions configured
- The attacker obtains a service ticket that is not valid for delegation (e.g., a ticket with the forwardable flag not set)
- The attacker tampers with the service ticket to make it appear valid for delegation
- The attacker presents this tampered ticket to the KDC
- Due to insufficient validation, the KDC accepts the ticket and issues a new service ticket for the target service
- The attacker can now access the target service while impersonating the victim user
This attack is particularly dangerous in Active Directory environments where constrained delegation is commonly used for multi-tier applications and service-to-service authentication.
Detection Methods for CVE-2020-17049
Indicators of Compromise
- Unusual Kerberos ticket requests originating from services configured with constrained delegation
- Service tickets being used for delegation that should not have the delegation flag set
- Anomalous access patterns from service accounts to resources outside their normal scope
- Kerberos authentication events with mismatched or unexpected ticket flags in Windows Security Event Logs
Detection Strategies
- Monitor Windows Security Event Logs for Event ID 4769 (Kerberos Service Ticket Operations) and look for anomalies in delegation patterns
- Audit service accounts configured with constrained delegation and their access patterns to detect potential abuse
- Implement network traffic analysis to identify unusual Kerberos traffic patterns between domain controllers and service endpoints
- Use SentinelOne's behavioral AI to detect suspicious authentication sequences that deviate from baseline behavior
Monitoring Recommendations
- Enable advanced Kerberos logging on domain controllers to capture detailed delegation activity
- Create alerts for service accounts accessing resources outside their constrained delegation scope
- Regularly review and audit which service accounts have KCD configured and whether those configurations are still necessary
- Monitor for multiple failed and successful authentication attempts from the same service account in rapid succession
How to Mitigate CVE-2020-17049
Immediate Actions Required
- Apply the Microsoft security update for CVE-2020-17049 immediately on all affected Windows Server versions
- Audit all service accounts with Kerberos Constrained Delegation configured and reduce permissions where possible
- Review and restrict which services are allowed to use constrained delegation
- Consider migrating to Resource-Based Constrained Delegation (RBCD) which provides more granular control
Patch Information
Microsoft has released security updates to address this vulnerability. The patches modify how the KDC validates service tickets used with Kerberos Constrained Delegation. Organizations should apply the updates available through the Microsoft Security Advisory CVE-2020-17049.
For Samba deployments, administrators should consult the Gentoo GLSA 2023-06 and the OpenWall OSS-Security Mailing List for applicable patches and guidance.
Workarounds
- Disable Kerberos Constrained Delegation on services where it is not strictly required
- Implement the principle of least privilege by limiting which services can be accessed through delegation
- Use Protected Users security group for high-value accounts to prevent their credentials from being delegated
- Segment network access to limit the impact of a potential compromise
# Review services with constrained delegation configured
# PowerShell command to identify accounts with constrained delegation
Get-ADObject -Filter {msDS-AllowedToDelegateTo -like "*"} -Properties msDS-AllowedToDelegateTo, userAccountControl | Select-Object Name, msDS-AllowedToDelegateTo
# Check for accounts trusted for delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Select-Object Name, TrustedForDelegation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
