CVE-2024-43639 Overview
CVE-2024-43639 is a remote code execution vulnerability in the Windows Kerberos Key Distribution Center (KDC) Proxy service. The flaw affects multiple Windows Server versions running the KDC Proxy role, which forwards Kerberos authentication traffic over HTTPS for remote clients. Unauthenticated attackers can exploit the vulnerability across the network without user interaction, achieving code execution in the context of the KDC Proxy service. The vulnerability is associated with [CWE-197] Numeric Truncation Error in the Kerberos protocol handling logic.
Critical Impact
An unauthenticated attacker can execute arbitrary code on Windows Servers configured as KDC Proxy by sending crafted Kerberos requests over the network.
Affected Products
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2024-11-12 - CVE-2024-43639 published to NVD and Microsoft releases security patch
- 2024-11-18 - Last updated in NVD database
Technical Details for CVE-2024-43639
Vulnerability Analysis
The vulnerability resides in the Windows KDC Proxy service (KDCPROXY), a component that tunnels Kerberos authentication traffic over HTTPS using the MS-KKDCP protocol. The service runs under LocalSystem privileges and listens on the network, making any flaw in its protocol parsing logic remotely exploitable.
The root weakness is classified as [CWE-197] Numeric Truncation Error. Cryptographic protocol implementations are particularly sensitive to truncation issues because length fields drive buffer allocations and copy operations. A truncated length value can cause subsequent code paths to operate on undersized buffers while processing attacker-controlled data.
Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the targeted server. Because the KDC Proxy is typically internet-facing to support remote Kerberos clients, the attack surface extends beyond the internal network.
Root Cause
The root cause is improper handling of a numeric value during Kerberos message processing in the KDC Proxy. A value is truncated when converted between data types, producing an incorrect length used in downstream memory operations. The mismatch between the expected and actual size enables memory corruption that an attacker can leverage to redirect execution flow.
Attack Vector
An unauthenticated remote attacker sends a crafted Kerberos request to a server running the KDC Proxy role. No privileges or user interaction are required. The attacker reaches the vulnerable code by submitting malformed protocol messages to the HTTPS endpoint exposed by KDCPROXY. Microsoft has not published technical exploitation details, and no public proof-of-concept is available. See the Microsoft Security Update for CVE-2024-43639 for vendor guidance.
Detection Methods for CVE-2024-43639
Indicators of Compromise
- Unexpected KDCPROXY service crashes, restarts, or access violation events in the Windows Application and System event logs.
- Anomalous child processes spawned by kdcsvc.dll or the KDC Proxy host process running under LocalSystem.
- Inbound HTTPS traffic to TCP/443 on the KDC Proxy endpoint from unexpected geographies or hosts that do not normally perform remote Kerberos authentication.
Detection Strategies
- Monitor Windows Event Logs for service failures involving KDCPROXY and correlate with network connections to the proxy endpoint.
- Inspect HTTPS traffic to the KDC Proxy URL path /KdcProxy for malformed Kerberos messages or unusual request sizes.
- Hunt for process lineage anomalies where the KDC Proxy host spawns command shells, scripting engines, or LOLBins.
Monitoring Recommendations
- Enable command-line auditing and PowerShell module logging on servers running the KDC Proxy role.
- Forward Kerberos and KDC Proxy logs to a centralized SIEM and alert on authentication anomalies originating from internet-facing proxies.
- Track outbound connections initiated by the KDC Proxy service, which should not normally initiate egress traffic.
How to Mitigate CVE-2024-43639
Immediate Actions Required
- Apply the November 2024 Microsoft security update for CVE-2024-43639 to all affected Windows Server systems running the KDC Proxy role.
- Inventory all servers configured as KDC Proxy and prioritize internet-facing instances for patching.
- Restrict inbound access to the KDC Proxy endpoint to known client networks where feasible.
Patch Information
Microsoft released patches on 2024-11-12 covering Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. Refer to the Microsoft Security Update Guide for CVE-2024-43639 for cumulative update KB numbers per platform and installation instructions.
Workarounds
- Disable the KDC Proxy role on servers that do not require remote Kerberos authentication until patching can be completed.
- Place the KDC Proxy endpoint behind a VPN or reverse proxy that enforces client authentication and request validation.
- Apply network segmentation rules to limit which source networks can reach the KDC Proxy HTTPS endpoint.
# Verify whether the KDC Proxy service is installed and running
Get-Service -Name KPSSVC
# Temporarily disable the KDC Proxy service as a workaround
Stop-Service -Name KPSSVC
Set-Service -Name KPSSVC -StartupType Disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
