Version 1.1.582.0 of the Azure AD Connect Provisioning Agent prevents MitM attacks towards Domain Controllers (CVE-2021-36949)

Azure Active Directory

This weekend, Microsoft released a new version of the Azure AD Connect Provisioning Agent. Version 1.1.582.0 addresses an authentication bypass vulnerability that is present in all previous versions of the agent.

About the vulnerability

An attacker can successfully perform a Meddle-in-the-Middle (MitM) attack between Windows Server installations running Azure AD Connect Provisioning Agents and Active Directory Domain Controller(s). The attacker would merely need to possess domain user credentials to be able to exploit this vulnerability.

This vulnerability is known as CVE-2021-36949.

Affected Azure AD Connect Provisioning Agent versions

All previous versions of the Azure AD Connect Provisioning Agent are vulnerable.

Disclosure

The vulnerability with a CVS v3 score of 7.1/6.4 was responsibly disclosed by Eyal Karni, Sagi Sheinfeld and Yaron Zinar with CrowdStrike.

About the Azure AD Connect Provisioning Agent

The Azure AD Connect Provisioning Agent is a central component for many organizations. The component plays a central role in Azure AD Connect Cloud Sync (as an alternative to Azure AD Connect) but is also commonly used for identity provisioning from Cloud HR solutions to Azure AD.

In contrast to Azure AD Connect, the database, rules and engine for Azure AD Connect Provisioning Agents are not placed on Windows Server installations on-premises, but within the Azure Active Directory infrastructure. This setup makes the agent lightweight, fast to deploy and easy to manage.

About version 1.1.582.0

Version 1.1.582.0 of the Azure AD Connect Provisioning Agent was released on August 8th, 2021 just prior to August 2021 Patch Tuesday.

You can download version 1.1.582.0 using this link.
The download weighs 21,8 MB

Additional mitigations

Admins are strongly encouraged to prevent NTLM traffic.

NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos protocol, or different authentication mechanisms, such as smart cards.

Malicious attacks on NTLM authentication traffic that result in a compromised server or Domain Controller can occur only if the server or Domain Controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.

On Windows Servers with Azure AD Connect Provisioning Agent installations, admins are strongly encouraged to configure the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Group Policy setting with Deny All to prevent NTLM traffic between the Azure AD Connect Provisioning Agent and Active Directory Domain Controllers.

Call to action

Admins using vulnerable Azure AD Connect Provisioning Agent installations in networking environments without using network segmentation to prevent unauthorized access to the network traffic between the Windows Servers running Azure AD Connect Provisioning Agents and Active Directory Domain Controllers, should upgrade their Azure AD Connect Provisioning Agents as soon as possible.

Further reading

Two new Azure AD Connect versions were released to prevent MitM attacks towards Domain Controllers (CVE-2021-36949)  
Ten things you need to know about Azure AD Connect Cloud Provisioning 
Azure AD Connect Provisioning Agent v1.1.281.0 now supports gMSA, PHS Filtering and many other improvements

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.