Microsoft has issued an emergency fix for a vulnerability in Windows Kerberos that is being actively exploited via in-the-wild attacks that target Windows Server 2008 and 2008 R2.

The Kerberos protocol is used to authenticate users and services on otherwise open and unsecured networks, using shared keys. But according to Microsoft's new MS14-068 security alert, the Kerberos Key Distribution Center - which authenticates clients inside an Active Directory domain - is vulnerable to a privilege-escalation attack, which could allow an attacker to remotely gain administrator-level privileges. "An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers," warns Microsoft, noting that it is "aware of limited, targeted attacks that attempt to exploit this vulnerability."

Microsoft has rated the vulnerability as "critical" for servers, and says it affects all supported versions of Windows Server including Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2. Microsoft says it's also issuing a related update "on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1," to help mitigate related types of attacks. But the company has abstained from assigning a related vulnerability rating to those PC versions of Windows, saying that the flaw itself isn't present in those systems.

"The problem stems from a failure to properly validate cryptographic signatures, which allows certain aspects of a Kerberos service ticket to be forged," says Craig Young, a security researcher at threat detection firm Tripwire. "The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain."

An attacker could abuse the cryptographic Kerberos ticketing system to gain access to normally off-limits parts of a network. "Kerberos tickets are a bit like hotel room keys that are encoded at the front desk after a security check, and then handed over to give you access, for a limited period, to specific parts of the building," says Paul Ducklin, head of technology for Asia-Pacific at anti-virus vendor Sophos, in a blog post.

Related attacks can also be launched by anyone in possession of valid domain credentials. "This is a really big issue, because anyone with a valid domain username and password can simply add a valid token - or as it's called in Windows, a privileged access certificate - that then gives them the domain admin rights, and [then] it's very, very easy to create another domain admin account, hide your tracks ... and sit pretty, [using] that domain admin account for server exploitation and exfiltration of critical data," says Gavin Millard, technical director for Europe, the Middle East and Africa at network monitoring firm Tenable Network Security.

After Exploit: Wipe, Rebuild

If attackers are able to successfully compromise an Active Directory domain using this vulnerability, Microsoft says affected domains will need to be wiped. "The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," says Joe Bialek, an engineer with the Microsoft Security Response Center, in a blog post. "An attacker with administrative privileges on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately."

Furthermore, spotting related attacks against unpatched networks may be difficult, because exploits can be written that will bypass any domain controller event logs that IT administrators may be capturing. "Please note that this logging will only catch known exploits; there are known methods to write exploits that will bypass this logging," Bialek says.