Check Point Advisories

Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013; CVE-2011-0091)

Check Point Reference: CPAI-2011-010
Date Published: 8 Feb 2011
Severity: Medium
Last Updated: Sunday 09 July, 2017
Source:
Industry Reference:CVE-2011-0091
Protection Provided by:

Security Gateway
R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description A spoofing vulnerability has been reported in implementations of Kerberos on Windows 7 and Windows Server 2008 R2. Kerberos is a protocol used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service by using shared secret keys. A remote attacker could exploit this issue to impersonate a legitimate users' credentials or to forge all of the Kerberos traffic in a compromised session. The vulnerability is due to an error in Windows that fails to correctly enforce the stronger default encryption standards included in Windows 7 and Windows Server 2008 R2, and as a result it is possible for a man in the middle attacker to force a downgrade in Kerberos communication between a client and server to a weaker encryption standard than negotiated originally. An attacker would have to be in-between the target client and server in a "man-in the-middle" attack scenario to intercept the communications and degrade the default encryption standard to DES. Once the attacker degrades the default encryption standard to DES, he could read and forge all of the Kerberos traffic in that session. An attacker could use this capability to impersonate the user who was authenticating during that Kerberos session.

Protection Overview

This protection will detect and block Kerberos requests that are not enforcing the stronger default encryption standards included in Windows 7 and Windows Server 2008 R2.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

  1. In the IPS tab, click Protections and find the Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Windows SMB Protection Violation.
Attack Information:  Microsoft Kerberos Implementation Spoofing Elevation of Privilege (MS11-013)

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK