A flaw in the Kerberos KDC protocol for Windows Server versions since 2003 allows a malicious user to elevate privileges to administrator level. This vulnerability has been documented in the following advisory: Kerberos Checksum Vulnerability - CVE-2014-6324
Kerberos is a protocol that is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys.
An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.
The following versions of Windows Server are affected:
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012 and Windows Server 2012 R2
Server Core installation option
Also, this affects the following desktop Windows versions as well:
Windows 8 and Windows 8.1
Windows RT and Windows RT 8.1
The fix patch is applied via Windows Update on the affected machine(s).
To view more in-depth details about the affected versions see Microsoft Security Bulletin MS14-068
There are no known workarounds.