Out-of-band Windows 10 Updates fix Kerberos vulnerability

Microsoft has released a set of out-of-band cumulative updates for supported Windows versions. All the patches fix a vulnerability in the Kerberos protocol. Earlier, the same fix was released to Windows 10 version 1809.

Today's fixes are out for Windows 10 version 20H2, 2004, 1909, 1903, and 1607.

They share the following change log:

Addresses issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update. The following issues might occur on writable and read-only domain controllers (DC):

  • Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
  • Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
  • S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.

Here's the list of updates

  • KB4594440  for Windows 10 version 20H2 and version 2004, builds19042.631 and 19041.531.
  • KB4594443 for Windows 1909 and version 1903, builds 18363.1199 and 16362.1199.
  • KB4594441 for Windows 10 version 1607, build 14393.4048.

Microsoft doesn't make the above packages available via Windows Update. In case you need them, you have to visit the Windows Update Catalog website and download and install them manually.


Leave a Reply

Your email address will not be published. Required fields are marked *