When looking at the January 10, 2023, cumulative updates (1B23) for Windows Server today, I noticed two updates that specifically address a Remote Code Execution (RCE) vulnerability and a Denial of Service (DoS) vulnerability in Windows LDAP. These vulnerabilities are specific to Domain Controllers (in the default configuration), so this sparked my interest in these updates.
About the vulnerabilities
CVE-2023-21676 LDAP Remote Code Execution Vulnerability
CVE-2023-21676 is a vulnerability in the Lightweight Directory Access Protocol (LDAP) that could allow an authenticated adversary remote code execution on Windows Server installations, configured as Domain Controllers. The attack is a low complexity attack over the network.
The CVSSv3 score of this vulnerability is 8.8/7.7.
The vulnerability was responsible disclosed by Microsoft Offensive Research and Security Engineering (MORSE).
CVE-2023-21557 LDAP Denial of Service Vulnerability
CVE-2023-21557 is a vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) that could allow an unauthenticated adversary to bypass a buffer length check, which could be leveraged to achieve an information leak. To achieve this, a specially crafted request merely needs to be sent to a vulnerable Domain Controller over the network.
The CVSSv3 score of this vulnerability is 7.5/6.5.
The vulnerability was responsible disclosed by Microsoft Offensive Research and Security Engineering (MORSE).
Affected Operating Systems
The above vulnerabilities exist in all supported Windows and Windows Server Operating Systems.
Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms through the Extended Security Update program. The January 10, 2023, updates are the last updates for these platforms.
Call to Action
I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.
Hi! Do the January 2023 updates for Domain Contollers cover the updates and changes that were addressed in the November 2022 and December 2022 updates?
I'm trying to see if it's safe to install on Domain Controllers running Windows Server 2012 R2 and Windows Server 2019…
Hi Erik,
Yes.
The January 2023 cumulative updates for Windows Server 2012 R2 and Windows Server 2019 include all the updates and changes of previous updates. Please note that for CVE-2022-37967, Domain Controllers will be configured for the second deployment phase (Audit mode).
For Windows Server 2019, only cumulative updates are available. For Windows Server 2012 R2 there are also other updates available that may or may not include all changes.
Hi Sander,
Thanks for the reply. One more question if you do not mind. Is the phased approach Microsoft is taking with the Kerberos updates/changes will be to 1)Add new PAC signatures, then 2)put the DCs into Audit mode? At this point, Sys Admins need to see what could be problematic.
What I want to be sure is that the January updates will not break Kerberos on apps in my Prod environment. I updated my Lab but obviously is not a true 1 to 1 to my Prod.
Hi Eric,
Indeed.
The previously mentioned link contains the current thinking of Microsoft's phased approach.
The next update that changes things in the context of CVE-2022-37967 is currently scheduled to be a part of the April 2023 Cumulative updates for Windows Server. At that time, Microsoft removes the ability to disable PAC signature addition by configuring the KrbtgtFullPacSignature subkey in registry with a value of 0.