About the vulnerability
An Elevation of Privilege (EoP) vulnerability exists in Active Directory Domain Services (AD DS). The vulnerability can be exploited over the network with low complexity and low privileged required.
An attacker who successfully exploited this vulnerability could gain domain administrator privileges.
COMMON VULNERABILITY SCORING
With a CVSS v3.1 score of 8.8/7.7, the vulnerability is rated Critical.
Affected Operating Systems
The following Operating Systems are vulnerable:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server, version 20H2
A system is vulnerable only if Active Directory Certificate Services (AD CS) is running on the domain. This means that most commonly implemented Certification Authorities (CAs) currently used are vulnerable to attacks.
In multi-tier Certification Authority implementation with an offline root CA, the root CA may not be vulnerable as the server is not a member of Active Directory.
Call to action
I urge you to install the necessary security updates on Windows Server installations, acting as Certification Authorities (CAs), based on Active Directory Certificate Services (AD CS), in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Certification Authorities (CAs), based on Active Directory Certificate Services (AD CS).
This vulnerability is a member of the same family of other critical Active Directory Certificate Services NTLM Relay Vulnerabilities, like PrintNightmare (CVE-2021-1675 and CVE-2021-34527), PetitPotam (CVE-2021-36942), ShadowCoerce and DFSCoerce.
Therefor, the steps outlined for Certificate-based authentication changes on Windows domain controllers should also be performed to further secure Certification Authorities (CAs) and Domain Controllers and mitigate sign-in errors.