SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE LoadRunner Vendors:   HPE
(HP Issues Fix for HP LoadRunner) Microsoft Windows Kerberos KDC Signature Validation Flaw Lets Remote Authenticated Users
SecurityTracker Alert ID:  1031628
SecurityTracker URL:  http://securitytracker.com/id/1031628
CVE Reference:   CVE-2014-6324   (Links to External Site)
Date:  Jan 26 2015
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 12.01
Description:   A vulnerability was reported in Microsoft Windows Kerberos. A remote authenticated user can gain elevated privileges. HP LoadRunner is affected.

The Microsoft Kerberos KDC implementation does not properly validate signatures. A remote authenticated unprivileged domain user can exploit this flaw to forge portions of a Kerberos service ticket and gain domain administrator privileges.

This vulnerability is being actively exploited in limited situations. The vendor reports that the known active attacks do not affect Windows Server 2012 and Windows Server 2012 R2.

The Qualcomm Information Security and Risk Management team, including Tom Maddock, reported this vulnerability.

Impact:   A remote authenticated user can gain domain administrator privileges.
Solution:   HP has issued a fix for HP LoadRunner, which includes a vulnerable version of Windows in virtual machine images.

The HP advisory is available at:

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04526330

Vendor URL:  technet.microsoft.com/library/security/ms14-068 (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 19 2014 Microsoft Windows Kerberos KDC Signature Validation Flaw Lets Remote Authenticated Users



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC