CVE-2024-29056: 
vulnerability analysis and mitigation

Windows Authentication Elevation of Privilege Vulnerability (CVE-2024-29056) was disclosed on April 9, 2024. This vulnerability affects the Kerberos PAC (Privilege Attribute Certificate) Validation Protocol in Windows systems, where the user of the process can spoof the signature to bypass PAC signature validation security checks. The vulnerability impacts multiple Windows versions including Windows Server 2008 through 2022 and various Windows 10 and 11 editions (Microsoft Support).

The vulnerability relates to the Privilege Attribute Certificate (PAC), which is an extension to Kerberos service tickets containing information about authenticating users and their privileges. When a Windows workstation performs PAC Validation on an inbound Kerberos authentication flow, it performs a new request (Network Ticket Logon) to validate the service ticket. The CVSS 3.1 base score is 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could allow an attacker to perform an elevation of privilege attack. This is a Local Elevation of Privilege vulnerability where a malicious or compromised service account running on the Windows Workstation attempts to elevate their privilege to gain local Administration rights (Microsoft Support).

Microsoft has released security updates to address this vulnerability. The mitigation process involves three key steps: 1) UPDATE: Windows domain controllers and Windows clients must be updated with a Windows security update released on or after April 9, 2024, 2) MONITOR: Audit events will be visible in Compatibility mode to identify devices not updated, 3) ENABLE: After Enforcement mode is fully enabled in the environment. Registry keys are available to control the behavior, including PacSignatureValidationLevel and CrossDomainFilteringLevel (Microsoft Support).