cbcvebase.
CVE-2016-3237
published 2016-08-09

CVE-2016-3237: Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and…

PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
17.18%
96.7th percentile
Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows man-in-the-middle attackers to bypass authentication via vectors related to a fallback to NTLM authentication during a domain account password change, aka "Kerberos Security Feature Bypass Vulnerability."

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • Detect Kerberos-to-NTLM authentication fallback during domain account password change operations, which is the core exploit mechanism for this CVE
  • Monitor for inbound firewall rule disabling targeting Kerberos KDC ports (TCP/UDP) as an attacker step to force NTLM fallback during password change
  • Alert on NTLM authentication events occurring specifically during domain account password change flows, especially on domain-joined machines where Kerberos should be the expected protocol
  • Watch for the error message 'The trust relationship between this workstation and the primary domain failed' following a password change, which may indicate exploitation of this bypass
  • Identify rogue/attacker-controlled Active Directory environments mimicking a legitimate domain (same FQDN) used to intercept Kerberos password change requests and force NTLM fallback
  • ·Exploitation requires the target to be a Standard Domain Member with password caching enabled (default Windows configuration) and BitLocker enabled without PIN or USB key — systems not matching this profile are not vulnerable to this specific attack path
  • ·Cached credentials must be present on the target system from a previous logon; without cached credentials the attack path does not yield access
  • ·This vulnerability shares an attack path with MS15-122 and MS16-014 but bypasses their published remediations; patching those earlier bulletins alone is insufficient
  • ·Physical access to the target machine is a prerequisite for the documented exploit technique

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.