-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-031 Product: Microsoft Windows / Active Directory Domain Services / Kerberos Manufacturer: Microsoft Affected Version(s): Microsoft Windows Server 2022 (10.0.20348), Microsoft Windows 10 (10.0.19045), In domain with Microsoft Windows Server 2025 (10.0.26100) domain controller Tested Version(s): Microsoft Windows Server 2022 (10.0.20348), Microsoft Windows 10 (10.0.19045), In domain with Microsoft Windows Server 2025 (10.0.26100) domain controller Vulnerability Type: Improper Authentication (CWE-287) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-04-02 Solution Date: 2025-06-10 Public Disclosure: 2025-06-11 CVE Reference: CVE-2025-33073 [3] Authors of Advisory: Stefan Walter, SySS GmbH Daniel Isern, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Active Directory (AD) is a common way to organize and manage Windows systems inside a corporate network. Kerberos is the current network authentication protocol used in AD environments. After authentication coercion of a machine account, where the authentication to the attacker's system usually occurs over SMB/Kerberos, it is possible to relay/reflect the authentication attempt back to the attacked system over SMB/Kerberos, yielding administrative privileges on it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Prerequisites: * Access to an arbitrary unprivileged AD account * Network access to the SMB port of the target system to be attacked, on which server-side SMB signing must not be enforced * Ability to set a DNS entry; this can usually be done via Active Directory Integrated DNS (ADIDNS), given an arbitrary unprivileged AD account Attack: * Adding DNS entry that unmarshalls to correct target SPN * Authentication coercion of target to attacker system over Kerberos via SMB * Relay of Kerberos authentication back to target system over SMB Result/impact: administrative privileges on the attacked target computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): See the accompanying blog post[1] for a detailed description of the attack steps as well as supplementary material like PCAPs of network traffic captured during the attack. The vulnerability can be exploited using publicly available tools with a one-line patch. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the patches from Patch Tuesday June 2025 [3]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mitigation: Enforce server-side SMB signing on all domain systems. This can, e.g., be deployed via Group Policies at: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (always): Enabled. More information can again be found in the accompanying blog post[1]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: (this is a short summary, for a full timeline see [1]) 2025-03-07: Initial notice of behavior in a lab environment; the subsequent weeks have been spent verifying the actual validity of the attack as well as narrowing attacker requirements and broadening the impact of the attack 2025-03-31: Verification of validity of latest variation in up-to-date lab environment 2025-04-02: Report to Microsoft/MSRC in PGP-encrypted e-mail with full attachments to secure@microsoft.com 2025-04-18: MSRC confirmation that the issue is valid and can be reproduced; information that this issue is a duplicate 2025-04-24: MSRC tentative fix release planned for Patch Tuesday in July; agreement to not publish before then 2025-05-30: MSRC fix release planned for Patch Tuesday in June; CVE-2025-33073 assigned 2025-06-10: Patch Tuesday ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Blog post is planned to be released at https://blog.syss.com/posts/kerberos-reflection/ [2] SySS Security Advisory SYSS-2025-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-031.txt [3] Microsoft: Windows SMB Client Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073 [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Walter and Daniel Isern of SySS GmbH. Note that this issue is a duplicate and has been reported to the Microsoft Security Response Center (MSRC) by another researcher before SySS GmbH reported it [3]. Stefan Walter of SySS GmbH E-Mail: stefan.walter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 Daniel Isern of SySS GmbH E-Mail: daniel.isern@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Daniel_Isern.asc Key Fingerprint: 6BCD 867F C5B2 F2C8 9844 C3A3 7055 F389 B54C BC07 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmhKh+EACgkQvguzEdo/ PhYaTQ/8Do83ecph/4dw1f2XY4Ymf28KGc6ARSyJVRm2iZl/hZ3YYNj2nJd0+Uea O3GPlAC5/MpU2V/P6Y0JF0Z8bB8egoosJYc/YQhfoCdse18ik0ba3GpWlga+mNio fD2zITCJxt5TwhJa7fuP3kC/lqVc4nTHpgXYXZayK8hOb/qwxmFcqCJAiuv5YWxb W09au/CHaCsh45+8uCv+Xsm2eznnTecTzLqFBOPuR/Kb5FFxqthoHVBOg9bTtvnk vOIzG04ipDpvxtl4JhkakqY1gTgh89m4WNeACT/PyuKFPx7THyujkBGZL46KoSTm KC260XjQHxqFXVpWfB9dZP0m3nvECGqxuixtHHtGbvgvR5j0O9CppANTLoROFs8P 4OZr5TUWxu0oHURO05y7ozAEwgkBDqtU9IsyCs2oo/JC5HGCDuAn1JHw7GvCnw6S LfeJnPLTSVLCl3wdm/ArSmnpYCyye5mgGJb/WgjZYZWM5S8d+gbq3CkRGRDEP5YX KuudvaqI2BZHeV5odQ1r23TIH+SnpqSJAwemQjF1U3CBAixHF8Ax1ONTkOhZht5L YPpJ80d2nqBce6hsa1mwodMJAJYyhKp9pi1TZ0w2UpoD5pSA1jnJDWxRrFTrCRTR DE+c/qYYvCv6mrZbIFRqqj1ok4NfbwAxEv58Sj50/Em/hOBQ/GQ= =6iAT -----END PGP SIGNATURE-----