Four Active Directory Elevation of Privilege vulnerabilities were addressed in the November 2021 Updates

Windows Update

When looking at the November 9th, 2021 updates today, I noticed four updates that specifically address vulnerabilities in Active Directory Domain Services. These vulnerabilities affect domain controllers at the heart of many networking infrastructure environments.

 

About the vulnerabilities

Four vulnerabilities were addressed:

CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42278 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability allows an attacker to impersonate a domain controller using computer account sAMAccountName spoofing. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for all supported Operating Systems. After installing the update, domain controllers perform additional validation inspections for user and computer objects.

 

CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42282 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability exist in the way domain controllers verify uniqueness of userPrincipalName values, servicePrincipalName values and servicePrincipalName aliases. This vulnerability allows an attacker to provide delegated access by reassigning a servicePrincipalName alias that is implicitly assigned to a different account. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. After installing the update, SPNs are guaranteed unique in a forest, which prevents computers and domain controllers from adding duplicate SPNs. This functionality already exists in newer versions of Windows Server and is described in SPN and UPN uniqueness.

An update is available for all supported Operating Systems. After installing the update, servicePrincipalName aliases are also guaranteed unique in a forest.

 

CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42287 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability affects the Kerberos Privilege Attribute Certificate (PAC) and allows an attacker to impersonate domain controllers. To exploit this vulnerability, a compromised domain account might cause the Key Distribution Center (KDC) to create a service ticket (ST) with a higher privilege level than that of the compromised account. An attacker accomplishes this by preventing the KDC from identifying which account the higher privilege ST is for. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for all supported Operating Systems. The update introduces an improved authentication process that adds new information about the original requestor to the PACs of Kerberos Ticket-Granting Tickets (TGTs). Later, when a Kerberos service ticket is generated for an account, the new authentication process verifies that the account that requested the TGT is the same account referenced in the service ticket.  After installing the update, PACs will be added to the TGT of all domain accounts, even those that previously chose to decline PACs.

The updates for the November 2021 Patch Tuesday introduces and enables the new authentication process. The updates for the July 2022 Patch Tuesday enforce the verifications, based on the new process.

 

CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42291 is a vulnerability that could allow an attacker to elevate privileges. To exploit this vulnerability, a user must have sufficient privileges to create a computer account, such as a user granted CreateChild permissions for computer objects. That user could create a computer account using a Lightweight Directory Access Protocol (LDAP) Add operation that allows overly permissive access to the securityDescriptor attribute. Additionally, creators and owners can modify security-sensitive attributes after creating an account. The CVSSv3 score of this vulnerability is 7.5/6.5.

An update is available for all supported Operating Systems. The update introduces two mitigations:

  1. Additional authorization verification when users without domain administrator rights attempt an LDAP Add operation for a computer-derived object.
  2. Temporary removal of the Implicit Owner privileges when users without domain administrator rights attempt an LDAP Modify operation on the securityDescriptor attribute. A verification occurs to confirm if the user would be allowed to write the security descriptor without Implicit Owner privileges.

The updates for the November 2021 Patch Tuesday introduces and enables the Audit mode for the above mitigations. The updates for the April 2022 Patch Tuesday switches the Audit mode to the Enforcement mode.

 

Call to action

I urge you to install the necessary security updates on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

Make sure all domain controllers receive the November 2021 updates, before deploying the April 2022 updates (for CVE-2021-42291) and July 2022 updates (for CVE-2021-42287). Domain Controllers that did not receive updates between November 2021 and April 2022 will no  longer operate after installing the April 2022 updates.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.