When looking at the October 12th, 2021 updates today, I noticed three updates that specifically address vulnerabilities in Active Directory Domain Services and DNS. These vulnerabilities affect domain controllers at the heart of many networking infrastructure environments.
About the vulnerabilities
Three vulnerabilities were addressed:
CVE-2021-40460 RPC Runtime Security Feature Bypass Vulnerability
CVE-2021-40460 is a vulnerability that could allow an attacker to bypass Extended Protection for Authentication provided by servicePrincipalName (SPN) target name validation over the network. The CVSSv3 score of this vulnerability is 6.5/5.7.
An update is available for all supported Operating Systems.
CVE-2021-40469 DNS Server Remote Code Execution Vulnerability
CVE-2021-40469 is a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. The CVSSv3 score of this vulnerability is 7.2/6.5.
Proof of Concept (PoC) code for attacking this vulnerability already exists.
An update is available for (domain controllers running as) DNS servers running Windows Server 2008, and up.
CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability
CVE-2021-41337 is a vulnerability that could allow an attacker to bypass Active Directory domain permissions for the Key Admins and Enterprise Key Admins groups over the network. The CVSSv3 score of this vulnerability is 4.9/4.3.
An update is available for domain contollers running Windows Server 2016, and up, as the above groups were introduced with Windows Server 2016.
Call to action
I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.