Today, Microsoft released two new Azure AD Connect version to address an authentication bypass vulnerability in Azure AD Connect.
About the vulnerability
An attacker can successfully perform a Meddle-in-the-Middle (MitM) attack between Azure AD Connect server(s) and Active Directory Domain Controller(s). The attacker would merely need to possess domain user credentials to be able to exploit this vulnerability.
This vulnerability is known as CVE-2021-36949.
Affected Azure AD Connect versions
The following versions of Azure AD Connect are vulnerable:
- Azure AD Connect v1.x
- Azure AD Connect v2.0.3.0, released July 20, 2021
Disclosure
The vulnerability with a CVS v3 score of 7.1/6.4 was responsibly disclosed by Eyal Karni, Sagi Sheinfeld and Yaron Zinar with CrowdStrike.
About the new Azure AD Connect versions
Today, two new versions of Azure AD Connect were released:
Azure AD Connect v1.6.11.3
Azure AD Connect v1.6.11.3 is is security update release of Azure AD Connect v1.x. This release addresses the vulnerability as documented in CVE-2021-36949.
This version is intended to be used by orgnanizations wishing to continue running Azure AD Connect v1.x or are running Azure AD Connect on an older version of Windows Server and cannot upgrade their server to Windows Server 2016 or newer as this time.
Note:
Admins cannot use this version to update an Azure AD Connect v2.x server.
You can download this release using this link.
The download weighs 104,5 MB
Azure AD Connect v2.0.8.0
Azure AD Connect v2.0.8.0 is a security update release of Azure AD Connect v2.x. This release addresses the vulnerability as documented in CVE-2021-36949.
Note:
This release requires Windows Server 2016 or newer. If you are using an older version of Windows Server, please use version 1.6.11.3.
You can download this release using this link.
The download weighs 152.9 MB
Additional mitigations
Admins are strongly encouraged to prevent NTLM traffic.
NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos protocol, or different authentication mechanisms, such as smart cards.
Malicious attacks on NTLM authentication traffic that result in a compromised server or Domain Controller can occur only if the server or Domain Controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.
Azure AD Connect with on-server database
On Azure AD Connect servers using the on-server SQL Server Express as their database, admins are strongly encouraged to configure the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Group Policy setting with Deny All to prevent NTLM traffic between Azure AD Connect servers and Active Directory Domain Controllers.
Azure AD Connect with database on SQL Server (cluster)
On Azure AD Connect servers communicating to SQL Servers and/or SQL Server clusters that host their databases, admins admins are strongly encouraged to configure the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Group Policy setting with Deny Al, but also to configure the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication Group Policy setting as User-defined list of remote servers. Define the NetBIOS names of the SQL Server(s) and/or SQL Server cluster name(s) per line. The asterisk symbol can be used as wildcard symbol, if need be.
Call to Action
Admins using vulnerable Azure AD Connect installations in networking environments without using network segmentation to prevent unauthorized access to the network traffic between Azure AD Connect servers and Active Directory Domain Controllers, should upgrade their Azure AD Connect server(s) as soon as possible.
Further reading
Network security Restrict NTLM Outgoing traffic
Network security Restrict NTLM Add remote server exceptions for NTLM authentication
Login