CVE-2016-3237
published 2016-08-09CVE-2016-3237: Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and…
PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
17.18%
96.7th percentile
Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows man-in-the-middle attackers to bypass authentication via vectors related to a fallback to NTLM authentication during a domain account password change, aka "Kerberos Security Feature Bypass Vulnerability."
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Kerberos-to-NTLM authentication fallback during domain account password change operations, which is the core exploit mechanism for this CVE ↗
- →Monitor for inbound firewall rule disabling targeting Kerberos KDC ports (TCP/UDP) as an attacker step to force NTLM fallback during password change ↗
- →Alert on NTLM authentication events occurring specifically during domain account password change flows, especially on domain-joined machines where Kerberos should be the expected protocol ↗
- →Watch for the error message 'The trust relationship between this workstation and the primary domain failed' following a password change, which may indicate exploitation of this bypass ↗
- →Identify rogue/attacker-controlled Active Directory environments mimicking a legitimate domain (same FQDN) used to intercept Kerberos password change requests and force NTLM fallback ↗
- ·Exploitation requires the target to be a Standard Domain Member with password caching enabled (default Windows configuration) and BitLocker enabled without PIN or USB key — systems not matching this profile are not vulnerable to this specific attack path ↗
- ·Cached credentials must be present on the target system from a previous logon; without cached credentials the attack path does not yield access ↗
- ·This vulnerability shares an attack path with MS15-122 and MS16-014 but bypasses their published remediations; patching those earlier bulletins alone is insufficient ↗
- ·Physical access to the target machine is a prerequisite for the documented exploit technique ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g622-x7hw-5xm2: Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3237 [HIGH] GHSA-g622-x7hw-5xm2: Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows man-in-the-middle attackers to bypass authentication via vectors related to a fallback to NTLM authentication during a domain account password change, aka "Kerberos Security Feature Bypass Vulnerability."
Microsoft
Kerberos Security Feature Bypass Vulnerability
vendor_msrc·2016-08-09·CVSS 6.4
CVE-2016-3237 [HIGH] Kerberos Security Feature Bypass Vulnerability
Kerberos Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists in Windows when Kerberos improperly handles a password change request and falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.
An attacker who successfully exploited this vulnerability could use it to bypass Kerberos authentication. To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.
The update addresses this vulnerability by preventing Kerberos from falling back to NTLM as the default authentication protocol during a domain account password change.
Windows Authentication Methods: Windows Authenticatio
No detection rules found.
Talos
Microsoft Patch Tuesday - August 2016
blogs_talos·2016-08-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2016
This post was authored by Edmund Brumaghin and Jonah Samost
Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.
## Bulletins Rated CriticalMicrosoft has listed bulletins MS16-095, MS16-096, MS16-097, MS16-099, MS16-102 as critical
Talos
Microsoft Patch Tuesday - August 2016
blogs_talos·2016-08-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2016
## Microsoft Patch Tuesday - August 2016
This post was authored by Edmund Brumaghin and Jonah Samost
Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.
## Bulletins Rated Critical Microsoft has listed bulletins MS16-095, MS16-096
http://www.securityfocus.com/bid/92290http://www.securitytracker.com/id/1036576https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-101https://www.exploit-db.com/exploits/40409/http://www.securityfocus.com/bid/92290http://www.securitytracker.com/id/1036576https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-101https://www.exploit-db.com/exploits/40409/
2016-08-09
Published