Microsoft this past week released its April 2024 Patch Tuesday updates for Windows 10 (KB5036892), Windows 11 (KB5036893), and more.
Alongside those, the company also informed that the Patch addresses a couple of Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056, both of which are elevation of privilege flaws that bypass the PAC signature checks previously added in KB5020805. This is in addition to the updated advisory it published for the BlackLotus Secure Boot flaw (CVE-2023-24932).
In its support document, Microsoft explains:
The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with the Kerberos PAC Validation Protocol. The Privilege Attribute Certificate (PAC) is an extension to Kerberos service tickets. It contains information about the authenticating user and their privileges. This update fixes a vulnerability where the user of the process can spoof the signature to bypass PAC signature validation security checks added in KB5020805.
Microsoft has also added that simply downloading and installing the April 2024 Patch Tuesday updates will not be enough to address the flaw and that users have to Enforce the changes too. This is only the Initial Deployment Phase for the Patch and it will not be Enforced by default until later.
The full timeline of the upcoming changes is given below:
April 9, 2024: Initial Deployment Phase - Compatibility Mode
The initial deployment phase starts with the updates released on April 9, 2024. This update adds new behavior that prevents the elevation of privilege vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 but does not enforce it unless both Windows domain controllers and Windows clients in the environment are updated.
To enable the new behavior and to mitigate the vulnerabilities, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Audit Events will be logged to help identify devices not updated.
October 15, 2024: Enforced by Default Phase
Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default.
The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.
April 8, 2025: Enforcement Phase
The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.
You can find more details about it in the official support document under KB5037754 on Microsoft's website.
0 Comments - Add comment