VMSA-2021-0027 updates for VMware vCenter Server 6.5 and 6.7 address two vSphere Web Client vulnerabilities (CVE-2021-21980 and CVE-2021-22049)

VMSA-2021-0014

Earlier this week, VMware released an update that addresses an arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980) and an SSRF vulnerability in the vSphere Web Client (CVE-2021-22049). These two vulnerabilities can be used to compromise virtual Domain Controllers running on VMware vSphere ESXi 6.5 and vSphere ESXi 6.7.

About the vulnerabilities

arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)

The first vulnerability is an unauthorized arbitrary file read vulnerability in the vSphere Web Client.

Note:
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore vCenter Server 7.x is not affected.

This is an important update with a maximum CVSSv3 base score of 7.5. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

The vulnerability was responsibly disclosed to VMware by ch0wn of Orz lab.

vulnerability in the vSphere Web Client (CVE-2021-22049)

The second vulnerability is a Server Side Request Forgery (SSRF) vulnerability in the vSAN Web Client (vSAN UI) plug-in in the vSphere Web Client.

Note:
vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore vCenter Server 7.x is not affected.

This is an important update with a maximum CVSSv3 base score of 6.5. A malicious actor with network access to port 443 on vCenter Server may exploit this vulnerability by accessing a URL request outside of vCenter Server or accessing an internal service.

The vulnerability was responsibly disclosed to VMware by magiczero from SGLAB of Legendsec at Qi'anxin Group.

How to address these vulnerabilities

VMware has released new versions of its vCenter Server 6.5 and vCenter Server 6.7 products. These versions address the vulnerabilities:

Concluding

Please install the updates for the version(s) of vCenter Server in use within your organization, as mentioned above and in the advisory for VMSA-2021-0027.

0  

VMware has recalled all released versions of vSphere 7.0 Update 3

VMware’s vSphere ESXi 7.0 U3, U3a, and U3b and VMware vCenter 7.0 U3b are no longer available for download due to several critical issues identified in them.

Issues experienced in the field

Organizations running vSphere 7.0 Update 3 have reported the following critical issues:

Recalled and available versions

The following vSphere 7.0 Update 3 releases have been removed:

  • vSphere ESXi 7.0 Update 3    (build 18644231)
  • vSphere ESXi 7.0 Update 3a  (build 18825058)
  • vSphere ESXi 7.0 Update 3b  (build 18905247)
  • vSphere vCenter 7.0 Update 3b (build 18901211)

There had already been two updates to try to remedy the above issues, but the issues ended up being too serious to keep trying to patch in-situ.

What to do with this information

if your organization utilizes a previous version of VMware vSphere, hold off on planning the upgrade to vSphere 7.0 Update 3, for now. Eventually, a build that remedies the above issues will be made available and will be safe to upgrade to. There is hope that this update will arrive in time to escape the end of support for vSphere 6.5 and vSphere 6.7.

If you are already on 7.0 Update 3 and aren’t experiencing issues, you can ignore this blogpost and will likely be among the first organizations to upgrade to new builds anyway.

If you are already on 7.0 Update 3 and experiencing issues, you will receive support from VMware.

Further reading

VMware 7.0 ESXi Update 3 Pulled for Bugs  
Important Information on ESXi 7 Update 3  
VMware withdraws major vSphere release due to bugs
vSphere 7.0 Update 3 Known Issues and Workarounds

0  

TODO: Mitigate the Information Disclosure vulnerability caused by improperly configured Azure Migrate applications

Azure Active Directory

Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Migrate applications, when these applications have been created prior to November 2, 2021.

About the vulnerability

CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.

The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.

Some Microsoft services incorrectly stored private key data in the keyCredentials  attribute while creating applications. Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.

What Microsoft has done to mitigate

Azure Migrate deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.

Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.

As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.

Call to action

As a precautionary measure, Microsoft recommends using the assessment script in this GitHub Repository. After assessing the impacted Azure AD applications, you need to execute the mitigation script on each Azure Migrate appliance in your organization's environment.

Typically, Under the App registration section in the Azure AD portal, the applications associated with Azure Migrate contain one of the following suffixes:

  • resourceaccessaadapp
  • agentauthaadapp
  • authandaccessaadapp

Azure Migrate appliances that were registered after November 2, 2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action.

0  

TODO: Change the credentials for Azure Automation Run-As accounts

Azure Active Directory

Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Automation Run-As accounts, when these accounts have been created between October 15, 2020 and October 15, 2021.

About the vulnerability

CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.

The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.

Some Microsoft services incorrectly stored private key data in the keyCredentials  attribute while creating applications. Azure Automation is one of these services, as it uses the Application and Service Principal keyCredential APIs when Automation Run-As Accounts are created.

What Microsoft has done to mitigate

Azure Automation deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.

Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.

As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.

Call to action

As a precautionary measure, Microsoft recommends rotating the self-signed certificates and certificates that you may have uploaded, if you’ve created Azure Automation Run-As accounts between October 15, 2020 and October 15, 2021.

To identify and remediate impacted Azure AD applications associated with impacted Azure Automation Run-As accounts, please navigate to this Github Repository.

Typically, for Azure Automation applications, the signInUrl in the manifest has the URL to the automation account which signifies the application is associated with an Automation account. You can find your application manifest under the App registration section in the Azure portal.

In addition, Azure Automation supports Managed Identities Support (GA announced on October 2021). Migrating to Managed Identities (MIs) from Run-As accounts will mitigate this issue. Please follow the guidance here to migrate.

0  

I’m speaking at the 2021 Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference

This December, I’m joining many of my technical friends at the Hybrid Identity Protection Conference.

About the Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference is Semperis Inc.’s event to bring together the leading experts in the field of Identity and Access Management. The event offers a unique opportunity to spend time with peers, whose day-to-day job is to architect, manage, and protect identity management in the hybrid enterprise.

The 2021 Hybrid Identity Protection Conference is a virtual conference again, offering Identity sessions on two days: December 1, 2021 and December 2, 2021.

About my presentation

I’ll present a 60-minute session:

Windows Hello for Business Hybrid Access: How Does It Work Under The Covers?

December 1, 2021, 20:15 PM CEST, Virtual

As weak, stolen and cracked passwords are at the root of 80% of cybersecurity incidents, Passwordless has the potential to change the world.

Under the covers, Windows Hello for Business, Microsoft's Passwordless solution, has already changed the authentication paradigm for Active Directory. Regardless of the device being domain-joined, hybrid Azure AD-joined or Azure AD-joined, you can access organizational resources without specifying credentials.

In this session, I explain how Windows Hello works in all three scenarios and what you need to get it going for your organization.

Join us!

The virtual Hybrid Identity Protection Conference is a free event.
All you need to do to attend the sessions is to register for the sessions.

The 2021 Hybrid Identity Protection Conference uses AccelEvents as the delivery platform. By registering you you confirm you intend to interact with and disclose personal information to Semperis and AccelEvents.

0  

I'm presenting a webinar with the Petri IT Knowledgebase and StealthBits

Presenting a webinar

On December 2 at 7 PM CEST, I'm presenting a webinar with Petri IT Knowledgebase and StealthBits on securing Active Directory.

About Petri.com

The Petri IT Knowledgebase has served as one of the world’s leading content and community resources for IT professionals and system administrators for more than 15 years. First launched by fellow Microsoft MVP Daniel Petri in 1999, the Petri IT Knowledgebase has always been focused on serving the needs of IT professionals by providing information to help them solve problems, do their jobs more effectively, and to advance their careers.

In addition to having an extensive library of how-to, news, and opinion content focused on Microsoft Windows and Windows Server, Exchange Server, Microsoft 365, PowerShell, Cisco, VMware, and dozens of other IT platforms and technologies, the Petri IT Knowledgebase forums are also a popular online destination for system administrators to network and exchange information with their peers.

About StealthBits

Stealthbits is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, their highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfils compliance requirements, and decreases operational expense.

About the webinar

Alex McCoy and I will be presenting a 60-minute webinar through GoToWebinar:

AD Configuration Strategies for Stronger Security

Thursday December 2, 2021, 1 PM ET / 7 PM CEST

Active Directory is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure — but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. To reduce risk, you need to ensure your Active Directory is clean, configured properly, monitored closely and controlled tightly.

Stealthbits is eager to help you achieve these goals. Join our session to explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory
  • How to better secure service accounts with gMSAs and least privilege
  • The AD Tier Model as a goal and the Protected Users group as an easy fix

Join us!

Join Alex McCoy, Russel Smith and me for 60 minutes of Active Directory security goodness. Register here.

0  

You may encounter authentication issues after installing the November 2021 Cumulative updates

Windows Server

While installing updates is one of the basic information security measures, many organizations hold off on installing updates for Windows Server within 48 hours. This month, we saw another reason why it’s a smart idea to test updates in pre-production environments before deploying them to production domain controllers.

After installing the November 2021 cumulative and/or security updates on domain controllers, you might experience authentication failures on servers relating to Kerberos Tickets acquired via S4u2self.

About the issue

The authentication failures are a result of Kerberos tickets acquired via S4u2self and used as evidence tickets for protocol transition to delegate to back-end services which fail signature validation. Kerberos authentication fails on Kerberos delegation scenarios that rely on a front-end service to retrieve a Kerberos ticket on behalf of a user to access a back-end service.

People in your environment might be unable to sign into services or applications using Single Sign On (SSO) using Active Directory or in a hybrid Azure AD environment.

Affected environments might be using the following:

  • Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
  • Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
  • Active Directory Federated Services (AD FS)
  • Microsoft SQL Server
  • Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
  • Intermediate devices including load balancers performing delegated authentication

You might receive one or more of the following errors when encountering this issue:

  • Events in the System log with EventID 18 and source Microsoft-Windows-Kerberos-Key-Distribution-Center.
  • Events in the Azure AD Application Proxy logs with EventID 12027, source Microsoft-AAD Application Proxy Connector, error 0x8009030c and with the following text:

Web Application Proxy encountered an unexpected error

How to fix this issue

This issue was resolved in out-of-band updates released November 14, 2021. Install the below updates on domain controllers when you experience this issue:

As these are standalone packages, search for it in the Microsoft Update Catalog, then import the update(s) into Windows Server Update Services (WSUS) manually. These updates will not install automatically.

KB5008601 and KB5008602 for Windows Server 2016 and Windows Server 2019, respectively are cumulative updates. When you haven’t installed the November 9 2021 cumulative updates, install this update instead. For the other Operating Systems, install the November 9 2021 cumulative update first, then install the patch.

3  

VMWare fixes an important privilege escalation vulnerability in vCenter Server (VMSA-2021-0025)

VMSA-2021-0014

This week, VMware released an update that addresses a vulnerability in vCenter Server. This vulnerability can be used to compromise vCenter Server installations and the ESXi host they manage.

Note:
The vulnerability exists in VMware Cloud Foundation, too.

About vCenter Server

VMware vCenter Server, formerly known as VirtualCenter, is the centralized management tool for the vSphere suite. vCenter Server allows for the management of multiple ESXi hosts and virtual machines (VMs) from different ESXi hosts through a single console or web application.

About the vulnerability

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware identifies the vulnerability as CVE-2021-22048 and VMSA-2021-0025 and has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.

This vulnerability was privately reported to VMware by Yaron Zinar and Sagi Sheinfeld of Crowdstrike.

How to fix the situation

VMware has investigated and determined that the possibility of exploitation can be removed by applying a workaround. The workaround for CVE-2021-22048 is to switch from Integrated Windows Authentication (IWA) to

Call to action

As many online HOWTO’s explain how to configure vCenter Server Single Sign-on using Integrated Windows Authentication (IWA), most vCenter Server implementations are vulnerable to privilege escalation attacks.

Please switch the Single Sign-on configuration of your vCenter Server(s) to LDAPS or AD FS.

Further reading

vSphere Authentication with vCenter Single Sign-On 
Active Directory over LDAP and OpenLDAP Server Identity Source Settings  
Configure vCenter Server Identity Provider Federation for AD FS

0  

KnowledgeBase: You receive EventID 16990 or 16991 when users create or modify computer objects

Windows Server

One of the more recent issues you might encounter, when you create or modify computer objects and/or (group) managed service accounts in Active Directory is errors on your domain controllers with event ID 16990 or 16991 with source Directory-Services-SAM in the System event log.

The situation

You run an Active Directory forest with Domain Controllers that are up to date with the latest monthly cumulative updates.

People in your environment routinely create, modify and/or delete computer objects. The user accounts for these people have been configured with delegated permissions to create and/or modify computer accounts and/or (group) managed service accounts in Active Directory.

The issue

People experience errors in the Security event logs of domain controllers with EventID 16990 or EventID 16991 when they create or modify computer objects (group) managed service accounts instead of the usual informational events with EventID 4742 to indicate a computer object was created or with EventID 4743 to indicate a computer object was modified.

The computer object is not created and/or modified.

The cause

Events with EventID 16990 and 16991 are caused by the new validations on domain controllers to prevent attackers from impersonating domain controllers using a technique labelled ‘computer account sAMAccountName spoofing’. A successful attack may lead to elevation of privilege.

EventID 16991

You receive events with EventID 16991 with source Directory-Services-SAM in the System event log of domain controllers, when:

  • The Windows updates released on November 9, 2021 and later are installed on domain controllers.
  • The computer account was created or modified by users who do not have administrator rights for machine accounts. Effectively, the 10th bit of the userAccountControl attribute (UF_NORMAL_ACCOUNT) for the user account or 12th bit of the userAccountControl attribute (UF_INTERDOMAIN_TRUST_ACCOUNT) for the user account is set.
  • The computer account or (group) managed service account has either the 13th bit of the userAccountControl attribute (UF_WORKSTATION_TRUST_ACCOUNT) or the 14th bit of the userAccountControl attribute (UF_SERVER_TRUST_ACCOUNT) set.
  • the sAMAccountName attribute of the computer account does not end with a single dollar sign ($).

The event’s description for errors with EventID 16991 reads:

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

In this case, the following failure code is logged:

0x523 ERROR_INVALID_ACCOUNTNAME

EventID 16990

When the fourth conditions from the previous list is not met, the domain controller logs an event with EventID 16990 with source Directory-Services-SAM in the System event log.

The event’s description for errors with EventID 16990 reads:

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

In this case, the following failure code is logged:

ACCESS_DENIED

The solution

For existing objects, the validation occurs when users who do not have administrator rights modify the sAMAccountName or UserAccountControl attributes.

Make these modifications using accounts that are members of the Domain Admins group.

Further reading

KB5008102—AD Security Accounts Manager hardening changes (CVE-2021-42278) 
CVE-2021-42278 – Security Update Guide  
UserAccountControl property flags

0  

Four Active Directory Elevation of Privilege vulnerabilities were addressed in the November 2021 Updates

Windows Update

When looking at the November 9th, 2021 updates today, I noticed four updates that specifically address vulnerabilities in Active Directory Domain Services. These vulnerabilities affect domain controllers at the heart of many networking infrastructure environments.

 

About the vulnerabilities

Four vulnerabilities were addressed:

CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42278 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability allows an attacker to impersonate a domain controller using computer account sAMAccountName spoofing. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for all supported Operating Systems. After installing the update, domain controllers perform additional validation inspections for user and computer objects.

 

CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42282 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability exist in the way domain controllers verify uniqueness of userPrincipalName values, servicePrincipalName values and servicePrincipalName aliases. This vulnerability allows an attacker to provide delegated access by reassigning a servicePrincipalName alias that is implicitly assigned to a different account. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. After installing the update, SPNs are guaranteed unique in a forest, which prevents computers and domain controllers from adding duplicate SPNs. This functionality already exists in newer versions of Windows Server and is described in SPN and UPN uniqueness.

An update is available for all supported Operating Systems. After installing the update, servicePrincipalName aliases are also guaranteed unique in a forest.

 

CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42287 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability affects the Kerberos Privilege Attribute Certificate (PAC) and allows an attacker to impersonate domain controllers. To exploit this vulnerability, a compromised domain account might cause the Key Distribution Center (KDC) to create a service ticket (ST) with a higher privilege level than that of the compromised account. An attacker accomplishes this by preventing the KDC from identifying which account the higher privilege ST is for. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for all supported Operating Systems. The update introduces an improved authentication process that adds new information about the original requestor to the PACs of Kerberos Ticket-Granting Tickets (TGTs). Later, when a Kerberos service ticket is generated for an account, the new authentication process verifies that the account that requested the TGT is the same account referenced in the service ticket.  After installing the update, PACs will be added to the TGT of all domain accounts, even those that previously chose to decline PACs.

The updates for the November 2021 Patch Tuesday introduces and enables the new authentication process. The updates for the July 2022 Patch Tuesday enforce the verifications, based on the new process.

 

CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42291 is a vulnerability that could allow an attacker to elevate privileges. To exploit this vulnerability, a user must have sufficient privileges to create a computer account, such as a user granted CreateChild permissions for computer objects. That user could create a computer account using a Lightweight Directory Access Protocol (LDAP) Add operation that allows overly permissive access to the securityDescriptor attribute. Additionally, creators and owners can modify security-sensitive attributes after creating an account. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for all supported Operating Systems. The update introduces two mitigations:

  1. Additional authorization verification when users without domain administrator rights attempt an LDAP Add operation for a computer-derived object.
  2. Temporary removal of the Implicit Owner privileges when users without domain administrator rights attempt an LDAP Modify operation on the securityDescriptor attribute. A verification occurs to confirm if the user would be allowed to write the security descriptor without Implicit Owner privileges.

The updates for the November 2021 Patch Tuesday introduces and enables the Audit mode for the above mitigations. The updates for the April 2022 Patch Tuesday switches the Audit mode to the Enforcement mode.

 

Call to action

I urge you to install the necessary security updates on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

Make sure all domain controllers receive the November 2021 updates, before deploying the April 2022 updates (for CVE-2021-42291) and July 2022 updates (for CVE-2021-42287). Domain Controllers that did not receive updates between November 2021 and April 2022 will no  longer operate after installing the April 2022 updates.

0