Kerberos Bronze Bit Attack: CVE-2020-17049 – Practical Exploitation
Discovery & Impact
While researching Kerberos in Azure Entra ID (formerly Active Directory), Jake found a way to bypass two protections for the authentication protocol. The Kerberos Bronze Bit attack would allow intruders to impersonate privileged users and access sensitive network services.
Remediation Outcome
Jake responsibly disclosed the vulnerability to Microsoft who has since released multiple patches for CVE-2020-17049. The PAC now has an additional field which holds the “ticket signature” to detect tampering of tickets by parties other than the KDC.
We started with comprehensive research into Kerberos and Microsoft's extensions in Active Directory.
Then we took a closer look at the TGS_REP data structure returned by the KDC after the S4U2self exchange. Specifically, where the Forwardable flag is located in the response.
Jake found that the Forwardable flag was not in the Privileged Attribute Certificate (PAC). An attacker could decrypt, set the Forwardable flag's value to 1, and re-encrypt the service ticket.
The KDC was unable to detect that the value was tampered with because it was not in the signed PAC.
We were able to successfully convert a non-forwardable ticket into a Forwardable ticket.
This attack bypasses two key protections:
External Network 
CVE-2020-17049: Kerberos Bronze Bit Attack – Explained and Exploited