cbcvebase.
CVE-2014-6324
published 2014-11-18

CVE-2014-6324: The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows…

PriorityP191high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
87.45%
99.7th percentile
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

filenameTGT_%s@%s.ccache
snort
alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24, reviewed_at 2024_03_26;)
bytes
|a0 07 03 05 00 50 80 00 00|
bytes
|a8 05 30 03 02 01 17|
  • Monitor TCP port 88 (Kerberos) traffic for the two byte sequences |a0 07 03 05 00 50 80 00 00| and |a8 05 30 03 02 01 17| appearing together in the same flow toward a KDC — this is the ET signature for GoldenPac/MS14-068 exploitation in progress.
  • Hunt for MIT Kerberos Credential Cache (.ccache) files with the naming pattern TGT_<user>@<realm>.ccache on disk; these are produced by the MS14-068 exploit and can be loaded with Mimikatz to perform pass-the-ticket attacks.
  • The exploit sends a TGS-REQ with a forged PAC (pac_request=False) and a checksum type 0x17 (RC4-HMAC, keytype 23). Kerberos events showing a TGS issued with an unexpected PAC checksum algorithm for a non-privileged user should be investigated.
  • The Metasploit module exports a forged-PAC TGT to a MIT Kerberos Credential Cache file intended to be loaded via Mimikatz on Windows. Detect Mimikatz loading .ccache files (kerberos::ptc) following anomalous Kerberos TGT requests from non-privileged accounts.
  • ·The Snort/ET rule uses a 'threshold: type limit, track by_src, seconds 60, count 1' — ensure your IDS/IPS threshold configuration is tuned appropriately so single-packet exploit attempts are not suppressed.
  • ·The exploit defaults to RC4-HMAC (keytype 23) for the forged PAC checksum. Environments that have disabled RC4-HMAC and enforce AES-only Kerberos may reduce exposure, but the vulnerability is in PAC signature verification and patching (MS14-068) is the authoritative fix.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.