Top

November 18 advisory: Windows KDC proxy remote code execution vulnerability [CVE-2024-43639]

CVE-2024-43639 is a critical vulnerability in the Windows Kerberos authentication protocol that allows unauthenticated attackers to execute remote code on affected systems. By exploiting this flaw, attackers can send specially crafted requests to a vulnerable system, leveraging a cryptographic protocol vulnerability in the Windows Kerberos to gain unauthorized access and execute arbitrary code. 

This vulnerability has been assigned a CVSS severity score of 9.8. This vulnerability only affects Windows Servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected. KDC Proxy Protocol Servers enable clients to communicate with KDC servers over HTTPS. Kerberos normally uses UDP (default) or TCP for communication between the client and KDC server over these ports: 

UDP/TCP 88: Used for Kerberos Authentication Service and Ticket Grating Service exchanges. TCP 464: Used for Kerberos password changes.

These protocols assume direct, reliable access to the KDC server, which is usually within the same local network or connected VPN. KDC Proxy encapsulates Kerberos protocol messages inside HTTPS requests, relaying Kerberos traffic between the client and the backed KDC server.

Originally designed for services like Remote Desktop Gateway and DirectAccess, the KDC Proxy service can be configured on a domain-joined server with a public interface and a trusted certificate. Clients can be set up to use this proxy through Group Policy or registry modifications, allowing secure Kerberos authentication over the internet.

KDC Proxy URLs are typically structured as https://<server>/KdcProxy. To identify KDC Proxy servers in your environment, you can scan for HTTPS endpoints matching this URI.

FieldDetails
CVE-IDCVE-2024-43639  – CVSS 9.8 (Critical) assigned by Microsoft
Vulnerability DescriptionAn unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.
Date of DisclosureNovember 12, 2024
Affected AssetsWindows Server products are affected when configured as a KDC Proxy Protocol server.
Vulnerable Software Versions The following Windows Server products are affected when configured as a KDC Proxy Protocol server:Windows Server 2012 (Server Core installation) [before Build Number 6.2.9200.25165]Windows Server 2012 [before Build Number 6.2.9200.25165]Windows Server 2016 (Server Core installation) [before Build Number 10.0.14393.7515]Windows Server 2016 [before Build Number 10.0.14393.7515]Windows Server 2022, 23H2 Edition (Server Core installation) [before Build Number 10.0.25398.1251]Windows Server 2012 R2 (Server Core installation) [before Build Number 6.3.9600.22267]Windows Server 2012 R2 [before Build Number 6.3.9600.22267]Windows Server 2022 (Server Core installation) [before Build Number 10.0.20348.2849]Windows Server 2022 (Server Core installation) [before Build Number 10.0.20348.2849]Windows Server 2022 [before Build Number 10.0.20348.2849]Windows Server 2022 [before Build Number 10.0.20348.2849]Windows Server 2019 (Server Core installation) [before Build Number 10.0.17763.6532]Windows Server 2019 [before Build Number 10.0.17763.6532]Windows Server 2025 (Server Core installation) [before Build Number 10.0.26100.2314]Windows Server 2025 (Server Core installation) [before Build Number 10.0.26100.2240]Windows Server 2025 [before Build Number 10.0.26100.2314]Windows Server 2025 [before Build Number 10.0.26100.2240]
PoC Available?No PoC available at the time of writing.
Exploitation StatusAt the time of writing, this CVE has not appeared on CISA’s list of known exploited vulnerabilities or in GreyNoise. 
Patch StatusThis security update guide includes a table with information on how to patch affected products.

Censys Perspective

At the time of writing, Censys observed over 2 million exposed Windows Server instances online: 2,274,340 to be exact, filtering out honeypots. Note that not all of these are vulnerable; only servers configured with the Kerberos KDC proxy are vulnerable, but we do not detect the /KdcProxy URI through our passive collection. That said, 1,211,834 of these devices (over half) were observed with TCP/443 (HTTPS) open, the default port for KDC Proxy Protocol server. Admins should confirm the presence of this protocol on their systems.

A large proportion of these (34%) are geolocated in the United States. Censys observed about 11% of the exposed instances to be associated with Armstrong Enterprise Communications (ASN 46622), a solutions and managed IT provider. 

References

https://nvd.nist.gov/vuln/detail/CVE-2024-43639

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43639

https://syfuhs.net/kdc-proxy-for-remote-access

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38

Source: Censys