Public exploits available
A denial of service vulnerability exists in implementations of Microsoft Windows Active Directory due to improper validation of service principal names (SPN), which could result in SPN collisions. When this occurs, services that use the SPN will downgrade to NTLM if configured to negotiate. Services that are not configured to negotiate will become unavailable, resulting in a denial of service condition.
An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.
This is an authentication downgrade as well as a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to downgrade from Kerberos to NTLM, and in the worst case, cause the service to stop responding. Active Directory improperly processes specially crafted requests to update the service principal name (SPN) and can result in name collisions in the domain.
All applications not on the affected list.
No known false positives at this time.
No known work-arounds at this time.