If you run Windows Servers in your environment and use Active Directory, you’ve probably heard about Kerberos. It's the backbone of secure authentication in most modern Windows networks. But what happens if it breaks? CVE-2022-24544 is one of those critical Kerberos flaws—it’s all about how attackers could gain higher privileges, potentially full domain control. In this post, we’ll break down the vulnerability, walk through how it works, share some code samples, and point you to in-depth resources.
What is CVE-2022-24544?
CVE-2022-24544 is a Microsoft Windows Kerberos Elevation of Privilege Vulnerability. This specific bug is different from similar CVEs (like CVE-2022-24486). At its core, it allows attackers to bypass Kerberos security and get higher privileges—basically becoming a domain admin if exploited successfully.
Original Advisory:
- Microsoft Security Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24544
How Does Kerberos Usually Work?
When you log in to your Windows domain, Kerberos authenticates you by issuing tickets:
Service Tickets: Let you access services (like file shares).
Only legitimate users with the right secrets get legitimate tickets.
What’s Wrong in CVE-2022-24544?
This vulnerability occurs because Windows Kerberos incorrectly handles certain service tickets. Under the right conditions, an attacker can trick the Kerberos Key Distribution Center (KDC) into issuing a ticket for a higher-privilege account (like a domain admin).
Exploit Details (Technical Walkthrough)
Microsoft hasn’t released full PoCs, and for good reason. But to help understand the risk (and how to spot an exploit attempt), here’s a simplified explanation, with some sample code.
Typically, using Rubeus or another Kerberos tool, an attacker dumps ticket data
Rubeus.exe asktgt /user:normaluser /rc4:<NTLM_HASH>
This gets the TGT for a normal user.
Step 2: Forge a Service Ticket (Silver Ticket Attack)
The attacker uses known information (like the KRBTGT key or a targeted service account hash) to craft a ticket. This is similar in concept to "silver ticket" attacks. But with CVE-2022-24544, the attacker can manipulate the service ticket generation process.
Sample Pseudocode
// Pseudocode: Crafting a manipulated Kerberos ticket
KerberosTicket ticket = new KerberosTicket();
ticket.UserName = "Administrator";
ticket.ServiceName = "cifs/server.domain.local";
ticket.ValidFrom = DateTime.Now;
ticket.ValidTo = DateTime.Now.AddHours(8);
// Manipulate ticket structure to bypass checks (CVE-2022-24544 flaw)
ticket.Flags |= TicketFlags.Forwardable;
ticket.AuthData = craftedAuthData; // Malformed auth data exploits the bug
// Signs with service secret
ticket.Sign(serviceKey);
The forged ticket is injected into memory, often using Mimikatz or Rubeus
Rubeus.exe ptt /ticket:forged_ticket.kirbi
Result:
You’re now authenticated as whatever account you forged, up to (potentially) a domain admin.
Patch it: Microsoft released updates in March 2022. Apply all Windows Server security updates!
- Monitor event logs: Look for suspicious Kerberos logins, especially those using the same machine repeatedly or showing odd times.
- Audit accounts: Rotate sensitive keys regularly, like KRBTGT (normally done after security incidents).
Microsoft’s Official Guidance:
- MSRC Update Guide
- Windows Update History
Final Thoughts
CVE-2022-24544 is a dangerous but subtle Kerberos flaw. Attackers who exploit it can become domain admins, bypassing normal Windows protections. If you run Active Directory, patch all your servers as soon as possible, monitor Kerberos authentication events, and stay alert for abnormal behavior.
References:
- Microsoft Original Advisory
- Active Directory Security - Kerberos Attacks Overview
- SpecterOps - Practical Kerberos Attacks
Timeline
Published on: 04/15/2022 19:15:00 UTC
Last modified on: 04/25/2022 15:49:00 UTC