CVE-2020-17049

Name of the Vulnerable Software and Affected Versions: Windows versions prior to the fixed version

Description: A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. This issue is related to the Kerberos protocol used in Active Directory for authentication. The vulnerability allows an attacker to bypass existing security restrictions and gain unauthorized access to the application.

Recommendations: To resolve the issue, update the system to the latest version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the Kerberos Constrained Delegation (KCD) feature until a patch is available. Avoid using service tickets that are not valid for delegation in the affected KDC until the issue is resolved. Apply the November updates released by Microsoft, which contain a patch for this vulnerability. Note that applying the patch may cause authentication issues on domain controllers with installed updates and without them or with very old versions of the operating system.