Microsoft addresses Kerberos PAC Validation Protocol flaws: CVE-2024-26248 and CVE-2024-29056

These vulnerabilities are elevation of privilege flaws that bypass the PAC signature

3 min. read

Published onApril 15, 2024

published onApril 15, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

On Tuesday, April 9, 2024, Microsoft released updatesKB5036892andKB5036893for Windows 10 and 11, introducing a few new features and fixing known issues.

With these, Microsoft also patched a couple of Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056.

Both of these vulnerabilities are elevation of privilege flaws that circumvent the PAC signature checks previously implemented in KB5020805.

In the support document, it is mentioned:

The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with theKerberos PAC Validation Protocol. The Privilege Attribute Certificate (PAC) is an extension to Kerberos service tickets. It contains information about the authenticating user and their privileges. This update fixes a vulnerability where the user of the process can spoof the signature to bypass PAC signature validation security checks added inKB5020805.

The document mentions an important point: only downloading and installing the updates on or after April 9, 2024, will not directly fix the security issues inCVE-2024-26248andCVE-2024-29056by default.

Once the environment is fully updated, you need to move to Enforced mode to fully mitigate the security issues for all devices.

This means that you first need to ensure that Windows domain controllers and clients are updated with the security update released on or after April 9, 2024. Next, check the compatibility mode to see if the devices are updated.

Next, enable Enforcement mode in your environment to get rid of security issues like CVE-2024-26248 and CVE-2024-29056.

Here are the details of the changes ahead

April 9, 2024: Initial Deployment Phase – Compatibility Mode

The initial deployment phase starts with the updates released on April 9, 2024. This update adds new behavior that prevents the elevation of privilege vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 but does not enforce it unless both Windows domain controllers and Windows clients in the environment are updated.

To enable the new behavior and to mitigate the vulnerabilities, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Audit Events will be logged to help identify devices not updated.

October 15, 2024: Enforced by Default Phase

Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default.

The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.

April 8, 2025: Enforcement Phase

The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.

To learn more details, you can review the support document forKB5037754. Have you installed the security patch released on April 9? If not, install it as soon as possible and ensure the Enforcement mode is on to fix these security issues.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Microsoft addresses Kerberos PAC Validation Protocol flaws: CVE-2024-26248 and CVE-2024-29056#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft addresses Kerberos PAC Validation Protocol flaws: CVE-2024-26248 and CVE-2024-29056