During its Patch Tuesday on January 11th, 2022, Microsoft addressed three Elevation of Privilege (EoP) security vulnerabilities in Active Directory components and protocols that can be attacked over the network.
About the vulnerabilities
Three vulnerabilities were addressed:
CVE-2022-21857 AD DS Elevation of Privilege Vulnerability
CVE-2022-21857 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability is specific to Active Directory Domain Services environments with incoming trusts.
The CVSSv3 score of this vulnerability is 8.8/7.7.
An update is available for all supported Operating Systems. Prior to installing this update, an attacker could elevate privileges across the trust boundary under certain conditions.
CVE-2022-21913 LSA Domain Policy Remote Protocol Security Feature Bypass
CVE-2022-21913 is a vulnerability that could allow an attacker to bypass security features in the Local Security Authority’s domain policy.
Most likely, this vulnerability is along the same lines as Andrew Bartlett’s earlier discovery that Samba may map domain users to local users in an undesired way. Especially, as Proof of Concept (PoC) exploitation code is available.
The CVSSv3 score of this vulnerability is 5.3/4.8.
An update is available for all supported Operating Systems.
CVE-2022-21920 Kerberos Elevation of Privilege Vulnerability
CVE-2022-21920 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability allows a domain user to elevate privileges to a domain admin. The attack complexity for this vulnerability is rated low.
The CVSSv3 score of this vulnerability is 8.8/7.5.
An update is available for all supported Operating Systems.
Call to action
I urge you to install the necessary security updates on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Active Directory Domain Controllers, in the production environment.
Further reading
CVE-2022-21920 – Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2022-21913 – Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
Login