A recently patched remote code execution (RCE) vulnerability in Microsoft Windows’ Key Distribution Center (KDC) Proxy implementation allows unauthenticated attackers to take control of vulnerable servers through manipulated Kerberos authentication traffic.
Designated CVE-2024-43639 and rated 9.8 CVSS, this critical flaw stems from improper validation of message lengths during ASN.1 encoding operation, enabling memory corruption attacks.
The vulnerability exists in the KDC Proxy component responsible for forwarding Kerberos authentication requests between clients and domain controllers.
.png
)
It primarily affects enterprise environments using Active Directory with remote gateway services like RDP Gateway.
Attackers could exploit this flaw by tricking the KDC Proxy into connecting to a malicious domain controller that returns specially crafted Kerberos responses containing oversized length values, as per a report by Trend Micro.
Successful exploitation grants SYSTEM-level privileges on the target server.
Technical Breakdown of the Vulnerability
KDC Proxy Message Handling
The KDC Proxy uses ASN.1 encoding rules to wrap Kerberos messages in HTTPS-formatted communications. The protocol defines a strict structure for these encapsulations:
KDC-PROXY-MESSAGE::= SEQUENCE {
kerb-message [0] OCTET STRING,
target-domain [1] KERB-REALM OPTIONAL,
dclocator-hint [2] INTEGER OPTIONAL
}Here, kerb-message contains the Kerberos payload prefixed with a 4-byte big-endian length field.
When processing responses, vulnerable versions fail to validate these length values against practical memory constraints.
Integer Overflow Mechanism
The exploit chain triggers when the KDC Proxy server attempts to encode oversized responses using Microsoft’s ASN.1 library (msasn1.dll).
Critical code paths in KpsDerPack() and ASN1BEREncLength() functions mishandle message length calculations:
Offset Length Name Description
0x10 0x4 len Kerberos response length (4 bytes)
0x18 0x8 buf Pointer to response buffer
//During encoding:
1. Compute required buffer size = len + DER headers
2. LocalReAlloc(current_buffer, new_size)
3. memcpy(data, buf, len) // Corrupts heap if new_size < lenBy sending responses between 4,294,966,267 and 4,294,967,295 bytes, attackers trigger integer overflows in the buffer allocation logic. This either:
- Shrinks allocated memory via negative wrap-around
- Creates a zero-length buffer when new_size overflows to zero
Both scenarios enable controlled heap corruption during subsequent memcpy operations1.
Exploitation Requirements and Impact
To exploit CVE-2024-43639, attackers must:
- Trick the KDC Proxy into connecting to a malicious domain controller
- Respond with a Kerberos message whose length field exceeds standard thresholds
- Include valid-looking Kerberos headers to bypass superficial validation checks
Successful attacks grant complete control over the KDC Proxy server, enabling credential theft, lateral movement, and domain privilege escalation.
The vulnerability affects all Windows Server versions configured as KDC proxies, making it particularly dangerous for organizations using:
- Hybrid Azure AD environments
- Remote Desktop Services
- DirectAccess VPN solutions
Detection and Mitigation Guidance
Microsoft patched this vulnerability in March 2025’s Patch Tuesday updates, adding proper length validation to the KpsSocketRecvDataIoCompletion function. Organizations should:
1. Apply KB5035845 (Server 2022) / KB5035846 (Server 2019) immediately
2. Monitor TCP port 88 for responses exceeding 2,147,483,647 bytes (0x7FFFFFFF)
3. Inspect LDAP ping traffic on UDP 389 for anomalous DC location requests
Additionally, implement network segmentation for KDC Proxy servers and review domain controller communication patterns. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43639 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to remediate by April 5, 20251.
Despite Microsoft’s patch, residual risks remain from:
- Delayed patching cycles in enterprise environments
- Potential reverse-engineering of the vulnerability from public advisories
- Legacy systems unable to receive security updates
This vulnerability underscores the importance of protocol validation in security-critical components.
As Kerberos remains the authentication backbone for modern enterprises, continued scrutiny of its implementation details remains essential to prevent domain-wide compromises.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
 vulnerability in Microsoft Windows' Key Distribution Center (KDC) Proxy implementation allows unauthenticated attackers.){kind=link}