CVE-2014-6324

What Is the Kerberos KDC?

The Kerberos Key Distribution Center (KDC) is the central authentication service in Microsoft Active Directory. When a domain user wants to access a network resource, they request a Kerberos ticket from the KDC. The ticket includes a Privilege Attribute Certificate (PAC) — a Microsoft extension to the Kerberos standard that lists the user's group memberships, security identifiers (SIDs), and privileges. Domain controllers and services use the PAC to make authorization decisions: if the PAC says a user is a Domain Admin, they get Domain Admin access.

The PAC is signed by the KDC to prove its authenticity — or so it should be. CVE-2014-6324 is a flaw in how the KDC validates PAC signatures, allowing any domain user to forge a PAC that claims membership in the Domain Admins group.

Overview

CVE-2014-6324 is a critical privilege escalation vulnerability in the Windows Kerberos Key Distribution Center — patched in the emergency bulletin MS14-068 on November 18, 2014. The flaw allows any authenticated domain user to forge a Kerberos ticket with a modified Privilege Attribute Certificate (PAC) that falsely claims Domain Admin group membership. The KDC accepts the forged PAC because it fails to validate the PAC checksum algorithm — an attacker can sign the PAC with a weak or unanticipated algorithm (MD5) that the KDC does not reject. One low-privileged domain account → Domain Admin in seconds, from anywhere on the network.

Affected Versions

All Windows domains with any of the above as domain controllers are affected, regardless of client OS versions.

Technical Details

Root Cause: KDC Accepts PAC Signed with Arbitrary Checksum Algorithm

The Kerberos PAC specification requires the PAC to be signed using the client's long-term key (for the client-to-KDC signature) and the KDC's long-term key (for the KDC signature). The Windows KDC implementation failed to verify that the checksum algorithm used matches what is expected — specifically, it did not reject MD5-based checksums when stronger algorithms were required.

The attack, step by step:

1. Attacker authenticates as a low-privileged domain user (any valid domain account works)
2. Request a TGT (Ticket Granting Ticket) from the KDC using the valid credentials
3. Forge a modified PAC: Take the TGT's PAC, modify the GroupIds field to include the Domain Admins SID (S-1-5-21-...-512), and sign it with an MD5 checksum using the user's password hash
4. Submit the forged PAC to the KDC in a TGS-REQ (requesting a service ticket). The KDC does not validate that the checksum algorithm is appropriate and accepts the MD5-signed PAC
5. Receive a legitimate service ticket from the KDC — now containing the forged PAC claiming Domain Admin
6. Present that ticket to any domain service (e.g., CIFS on a domain controller) → granted Domain Admin access

PyKEK (Python Kerberos Exploitation Kit) automated this entire process. An attacker with any domain credentials and a Python environment could achieve Domain Admin in seconds.

Why This Is Architecturally Critical

Most privilege escalation vulnerabilities require either code execution on a domain controller or exploitation of a specific service. CVE-2014-6324 bypasses all of that — it attacks the authentication foundation of Active Directory itself. No lateral movement, no phishing, no secondary exploit required: just one domain user account and the PyKEK tool.

Attack Characteristics

Discovery

Microsoft detected active exploitation in the wild before publishing the vulnerability. The fix was released as an emergency out-of-band bulletin (MS14-068) on November 18, 2014 — not waiting for the next Patch Tuesday — reflecting the extreme severity of domain-wide privilege escalation from a low-privileged account.

Exploitation Context

• PyKEK (Python Kerberos Exploitation Kit): A public proof-of-concept released the same day as the patch; made the exploitation trivially accessible to any attacker with domain user credentials
• APT and ransomware use: Domain privilege escalation is a key step in both targeted intrusions (APT) and ransomware campaigns; CVE-2014-6324 was incorporated into attacker toolkits and post-exploitation frameworks
• Standard pentest technique: Became a standard Active Directory penetration testing technique for years; integrated into tools like Impacket (goldenPac.py)
• Affected millions of domains: Every Windows Active Directory domain in the world running unpatched KDCs was vulnerable — the fix required patching domain controllers, not workstations
• Long exploitation window: Exploitation was detected before patch release; the window between discovery and patch is unknown but the emergency out-of-band release suggests it was being used by sophisticated actors

Remediation

1. Apply MS14-068 to all domain controllers immediately. This is the only complete fix. The patch must be applied to domain controllers — not workstations.

2. Verify patch application: Run Get-HotFix -Id KB3011780 on each domain controller (KB3011780 is the MS14-068 patch). All DCs must be patched.

3. Threat hunt for exploitation: After patching, audit Kerberos event logs on domain controllers for Event ID 4769 (Kerberos Service Ticket Operations) and Event ID 4768 (Kerberos Authentication Ticket Requested) for anomalous activity. Look for tickets issued to accounts immediately followed by Domain Admin access events.

4. Check for rogue computer accounts or Group Policy modifications — common post-exploitation steps after achieving Domain Admin.

5. Review the Microsoft Active Directory Security blog for additional detection guidance for MS14-068 exploitation indicators.

6. Enforce Kerberos armoring (FAST) in newer environments to add additional protection around PAC validation.