This post is also available in: 日本語 (Japanese)
Executive Summary
A recent vulnerability in the Kerberos authentication protocol, CVE-2020-17049 (dubbed Bronze Bit), has been disclosed by Microsoft. The vulnerability is in the way that the Key Distribution Center (KDC) handles service tickets and validates whether delegation is allowed.
In the attack, as detailed in the Palo Alto Networks Security Operations blog, “Protecting Against the Bronze Bit Vulnerability with Cortex XDR,” the attacker tampers with the Kerberos service ticket, which allows the attacker to authenticate to the target as any user, including sensitive accounts and members of the “Protected Users” group.
Mitigation Actions for CVE-2020-17049
The vulnerability was patched by Microsoft, and the patch will be gradually deployed with upcoming Windows updates. Microsoft aims to enforce using the patch only on or after May 11, 2021.
Conclusion
Palo Alto Network customers running Cortex XDR version 7.3 with the latest content update are protected from “Pass-the-Ticket” attacks using the standard Windows API. Customers running Cortex XDR Pro with analytics enabled will get alerted on related suspicious activities and specifically on a delegation from or to a protected user.
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.