Microsoft addresses Kerberos PAC Validation Protocol flaws: CVE-2024-26248 and CVE-2024-29056

On Tuesday, April 9, 2024, Microsoft released updates KB5036892 and KB5036893 for Windows 10 and 11, introducing a few new features and fixing known issues.

With these, Microsoft also patched a couple of Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056.

Both of these vulnerabilities are elevation of privilege flaws that circumvent the PAC signature checks previously implemented in KB5020805. 

In the support document, it is mentioned:

The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with the Kerberos PAC Validation Protocol. The Privilege Attribute Certificate (PAC) is an extension to Kerberos service tickets. It contains information about the authenticating user and their privileges. This update fixes a vulnerability where the user of the process can spoof the signature to bypass PAC signature validation security checks added in KB5020805.

The document mentions an important point: only downloading and installing the updates on or after April 9, 2024, will not directly fix the security issues in CVE-2024-26248 and CVE-2024-29056 by default.

Once the environment is fully updated, you need to move to Enforced mode to fully mitigate the security issues for all devices.

This means that you first need to ensure that Windows domain controllers and clients are updated with the security update released on or after April 9, 2024. Next, check the compatibility mode to see if the devices are updated.

Next, enable Enforcement mode in your environment to get rid of security issues like CVE-2024-26248 and CVE-2024-29056.

Here are the details of the changes ahead

April 9, 2024: Initial Deployment Phase – Compatibility Mode

The initial deployment phase starts with the updates released on April 9, 2024. This update adds new behavior that prevents the elevation of privilege vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 but does not enforce it unless both Windows domain controllers and Windows clients in the environment are updated.

To enable the new behavior and to mitigate the vulnerabilities, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Audit Events will be logged to help identify devices not updated.

October 15, 2024: Enforced by Default Phase

Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default.

The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.

April 8, 2025: Enforcement Phase

The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.

To learn more details, you can review the support document for KB5037754. Have you installed the security patch released on April 9? If not, install it as soon as possible and ensure the Enforcement mode is on to fix these security issues.