Proof-of-concept exploit code and full details on a Windows Kerberos security bypass vulnerability have been published earlier this week by Jake Karnes, the NetSPI security consultant and penetration tester who reported the security bug to Microsoft.
The security bug tracked as CVE-2020-17049 and patched by Microsoft during November 2020's Patch Tuesday can be exploited in what the researcher has named as
Kerberos Bronze Bit attacks.
Karnes provides a
high-level summary of the vulnerability and details on how attackers can exploit it to compromised vulnerable Windows systems.
He has also published a
low-level overview of the security bug with additional information on the
Kerberos protocol, as well as
practical exploit scenarios and details about how to implement and use Kerberos Bronze Bit attacks.
The release of the proof-of-concept exploit code by Karnes on Tuesday was prompted by Microsoft publishing the
security updates needed to fully mitigate CVE-2020-17049 on vulnerable servers.