CVE-2024-29995
📋 TL;DR
This vulnerability allows an authenticated attacker to elevate privileges on Windows systems by exploiting a flaw in the Kerberos authentication protocol. Attackers can gain higher-level permissions than originally granted, potentially compromising domain controllers or sensitive systems. All Windows systems using Kerberos authentication are affected.
💻 Affected Systems
- Windows Server
- Windows Client
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise where attackers gain Domain Admin privileges, enabling lateral movement, credential theft, and persistent access across the entire network.
Likely Case
Local privilege escalation on individual systems, allowing attackers to execute code with SYSTEM privileges, install malware, or access sensitive data.
If Mitigated
Limited impact with proper network segmentation, least privilege principles, and monitoring in place, potentially containing the attack to isolated segments.
🎯 Exploit Status
Exploitation requires an authenticated attacker with valid domain credentials. The attacker must already have access to the target system or network.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2024 security updates (KB5036893 for Windows 11, KB5036892 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29995
Restart Required: Yes
Instructions:
1. Apply the April 2024 security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict Kerberos delegation
windowsLimit constrained and unconstrained delegation to reduce attack surface.
Use Active Directory tools to review and restrict delegation settings
Implement network segmentation
allSegment domain controllers and critical systems from general user networks.
🧯 If You Can't Patch
- Implement strict least privilege access controls and monitor for unusual privilege escalation attempts.
- Deploy enhanced monitoring and detection for Kerberos authentication anomalies and suspicious ticket requests.
🔍 How to Verify
Check if Vulnerable:
Check if April 2024 security updates are installed via 'systeminfo' command or Windows Update history.Check Version:
wmic qfe list | findstr KB5036893Verify Fix Applied:
Verify KB5036893 (Windows 11) or KB5036892 (Windows 10) or equivalent Server updates are installed.📡 Detection & Monitoring
Log Indicators:
- Event ID 4769 (Kerberos service ticket requests) with unusual patterns
- Multiple failed authentication attempts followed by successful privilege escalation
Network Indicators:
- Unusual Kerberos ticket requests from non-standard sources
- Anomalous traffic to domain controllers on port 88
SIEM Query:
source="windows-security" EventCode=4769 | stats count by AccountName, ClientAddress | where count > threshold