CVE-2024-26248: 
vulnerability analysis and mitigation

Windows Kerberos Elevation of Privilege Vulnerability (CVE-2024-26248) was disclosed on April 9, 2024. This vulnerability affects the Kerberos PAC (Privilege Attribute Certificate) Validation Protocol in Windows systems, where a user can potentially spoof signatures to bypass PAC signature validation security checks. The vulnerability impacts multiple Windows versions including Windows 10, Windows 11, and various Windows Server editions (Microsoft Support).

The vulnerability exists in the PAC validation process during Kerberos authentication flows. When a Windows workstation performs PAC Validation, it initiates a Network Ticket Logon request to validate the service ticket through domain controllers. The vulnerability has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity and potential for complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability could allow an attacker to perform local elevation of privilege where a malicious or compromised service account running on the Windows Workstation attempts to elevate their privileges to gain local Administration rights. This affects Windows servers accepting inbound Kerberos Authentication and performing PAC Validation (Microsoft Support).

Microsoft has outlined a three-step mitigation process: 1) UPDATE: Install Windows security updates released on or after April 9, 2024, on all domain controllers and Windows clients; 2) MONITOR: Use audit events in Compatibility mode to identify non-updated devices; 3) ENABLE: Implement Enforcement mode to fully mitigate the vulnerabilities. The complete mitigation requires updating the entire Windows environment, as unpatched domain controllers will not recognize the new request structure (Microsoft Support).