Pictures of Techorama Belgium 2022

Kinepolis entrance with Techorama Las Vegas brandingLast week, I presented at Techorama Belgium 2022, the Las Vegas Edition. The event was held at Kinepolis Cinemas in Antwerp, Belgium.

After a Monday at one of my more colorful customers in Helmond, I drove to Antwerp to meet up with Aleksandar Nikolic and John Craddock to have dinner on Antwerp’s Grote Markt.

Grote Markt in Antwerpen (click for larger photo)Parking in a Belgium garage... (click for larger photo)After sharing steaks, I drove to the Van der Valk hotel in Antwerp where all Techorama Belgium 2022 speakers stayed.

Good Morning Honey! (click for larger photo)During breakfast, I saw a lot of familiar faces. I had breakfast with Barbara Forbes and Evert Bleijendaal, both former colleagues at SCCT and now both working at OGD again.

Techorama 2022 LAs Vegas Entrance! (click for larger photo)John's Techorama 2022 Session (click for larger photo)

As I only presented on Wednesday, I spent my Tuesday catching up with fellow speakers, preparing for the session and visiting other people’s sessions like John’s.

We drove back to the hotel where we enjoyed an absolutely fabulous speaker dinner. It was the kind of dinner where I don’t specifically remember returning to my room… that good. Luckily, there was coffee during breakfast the next day.

Session Announcement at the entrance of Room 1 (click for larger photo)

Then, on Thursday, straight after lunch, I presented 60 minutes on Windows Hello for Business Hybrid Access. I explained the three hybrid access models (Key Trust, Certificate Trust and Cloud Trust) and how to apply them all three join types (Azure AD Join, Hybrid Azure AD Join and pure domain join).

Passwords Are Bad (click for larger photo, by Evert Bleijendaal)Animations! (click for larger photo by Evert Bleijendaal)

After my presentation, I drove home to enjoy a long weekend off! Smile

Thank you! Thumbs up

Thank you to the Techorama organization for organizing yet another successful event and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom I had interesting discussions.

0  

HOWTO: Detect Apps and Services using LDAP instead of LDAPS

LDAP integrated devices

Active Directory Domain Services (AD DS) offers many ways to integrate applications and services.

Traditionally, the Lightweight Directory Access Protocol (LDAP) was used by software developers to integrate. While Kerberos-based Integrated Windows Authentication (IWA) can also be used, LDAP has kept a certain foothold for software solutions, as it is also available on non-Windows and non-IIS-based solutions and can be used to integrate with other directories, besides AD DS.

LDAP, however, was never envisioned from the start as a protocol for open networks. Eventually, LDAP over SSL (commonly abbreviated as LDAPS and described in RFC 2830) was introduced in 2000 to address the plain-text nature of the original LDAP (LDAPv3, described in RFC 2251).

Many of the software packages supporting LDAPS have no issues connecting using LDAP, thus removing the need to work with certificates. As appealing as this sounds to AD admins, it should be avoided as the service accounts used to poke around in AD DS through LDAP often have significant privileges. These privileges can be asserted after a malicious person has acquired them through a Meddle in the Middle (MitM) attack.

LDAP Channel Binding has been introduced to counteract MitM and replay attacks, but it only work when using LDAPS. LDAP should be a thing of the past. All LDAP communications to domain controllers should be LDAPS.

But how do you get insights in what accounts on what hosts communicate using plain LDAP and not LDAPS using built-in tools?

That’s the question that this blogpost tries to answer.

Note:
Using Microsoft Defender for Identity, detecting apps and services using LDAP instead of LDAPS is simple, as there is a built-in detection. However the license requirements for Microsoft Defender for Identity may be considered too steep to answer just this one question.

 

Before you begin

You’ll need to meet the following requirements to detect applications, services and systems using LDAP instead of LDAPS:

Account Requirements

Sign in with an account that is a member of the Domain Admins group, or an account that has delegated permissions to:

  • Manage Group Policy objects, or has delegated permissions to Edit Settings or Edit settings, delete and modify security permissions on an existing Group Policy object
  • Read the logs on all Domain Controllers within the Active Directory environment.

System requirements

Sign in to each domain controller.

 

Enabling LDAP diagnostics

Domain Controllers with default settings do not provide the information needed to detect non-S LDAP connections. The 16 LDAP Interface Events diagnostic logging needs to be enabled. This can be achieved using Group Policy or using Windows PowerShell.

Perform these steps to enable auditing Kerberos Service Ticket Operations using Group Policy:

  1. Right-click Start
  2. Choose Windows PowerShell (Admin) from the Start Menu to open an elevated Windows PowerShell window.
  3. Issue the following line of PowerShell:

    Set-ItemProperty –Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\" -Name "16 LDAP Interface Events" -Value 2 -Type DWORD

  4. Type Y and confirm with Enter.
  5. Close the Windows PowerShell window.

Repeat the above steps for each domain controller in the environment.

Note:
Increasing the size of the Directory Service log can be useful in environments with large amounts of LDAP traffic.

 

Detecting applications, services and systems using LDAP instead of LDAPS

Now, you can use the following lines of Windows PowerShell to detect the use of LDAP by applications, services and systems towards the domain controllers. Its output displays the last 24 hours of successful connections:

$Hours = 24

$DCs = Get-ADDomainController -filter *

$InsecureLDAPBinds = @()

ForEach ($DC in $DCs) {

Get-WinEvent -ComputerName $DC.Hostname -FilterHashtable @{Logname='Directory Service';Id=2889; StartTime=(Get-Date).AddHours("-$Hours")} >> $null

ForEach ($Event in $Events) {

   $eventXML = [xml]$Event.ToXml()

   $Client = ($eventXML.event.EventData.Data[0])

   $IPAddress = $Client.SubString(0,$Client.LastIndexOf(":"))

   $User = $eventXML.event.EventData.Data[1]

   Switch ($eventXML.event.EventData.Data[2])

      {

      0 {$BindType = "Unsigned"}

      1 {$BindType = "Simple"}

      }

   $Row = "" | select IPAddress,User,BindType

   $Row.IPAddress = $IPAddress

   $Row.User = $User

   $Row.BindType = $BindType

   $InsecureLDAPBinds += $Row

   }

}

$InsecureLDAPBinds | Out-Gridview

 

Disabling LDAP diagnostics

As the 16 LDAP Interface Events diagnostic logging require additional resources when the setting is enabled, so you might want to disable the setting when you’re done.

Perform these steps to disable auditing Kerberos Service Ticket Operations using Group Policy:

  1. Right-click Start
  2. Choose Windows PowerShell (Admin) from the Start Menu to open an elevated Windows PowerShell window.
  3. Issue the following line of PowerShell:

    Set-ItemProperty –Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\" -Name "16 LDAP Interface Events" -Value 0 -Type DWORD

  4. Type Y and confirm with Enter.
  5. Close the Windows PowerShell window.

Repeat the above steps for each domain controller in the environment.

 

Concluding

When you know what applications, services and/or systems connect using LDAP to your domain controllers, you can reconfigure them to use LDAPS.

This is essential to implement LDAP Channel Binding and Signing changes.

1  

The FusterCluck that is Power Platform’s Identity and Delegation model

Empower every person and every organization on the planet to achieve more.

Recently, I had some experiences with the Power Platform. As an identity guy, I was appalled at what I found as Microsoft’s identity and delegation model for these services. Let me tell you why.

 

About the Power Platform

Microsoft’s Power Platform consists of four distinct products and services:

  1. Power BI
    Through dashboards, Power BI can present information in a flexible and automatically updated way, based on data from several sources, including Azure databases and Microsoft 365 resources
  2. Power Apps
    Based on templates and low code development resources, people in organizations can build their own apps that interact with Microsoft 365 resources. One of the more popular templates was the room booking app. It interacts with room resources in Exchange Online.
  3. Power Automate
    Organizational processes can be automated using flow charts that can be triggered manually or run automatically based on triggers to interact with Microsoft 365 services.
  4. Power Virtual Agents
    Chatbots can be delivered to have automated conversations with employees and customers.

The four products and services have in common that it requires no coding experience and that you can easily interact with the Microsoft 365 resources and services.

 

Identity and Delegation within the Power Platform

All this goodness comes with a price: The products and services in the Power Platform that I had experiences with (this excludes Power Virtual Agents) are geared towards increasing personal productivity. Herein lies the problem; it doesn’t have an underpinning identity model that allows for delegation.

When talking about Power Apps and Power Automate, specifically, the Azure AD account that is used to create the apps and flows is configured to be the owner of the resource. To interact with Microsoft 365 resources, the account requires the license to do so. To interact with a calendar, for instance, requires at least the Exchange Online Plan 1 user license. When creating an exclusion in Conditional Access policies and accessing resources in Exchange Online, SharePoint Online and Teams, a Microsoft 365 E3 license soon comes into picture.

This is ideal for personal productivity, but it poses a problem, when the organization publishes the Power App towards the entire organization, the owner of the Power App leaves the organization and, understandably, admins remove the license and/or the Azure AD account of the owner. In these cases, functionality breaks.

 

Microsoft’s advice

Microsoft empowers every person and every organization on the planet to achieve more and advises to create a separate service account for its Power Platform products and services to avoid the above situation. Organizations have incorporated checks to ensure no organization-wide Power Platform functionality breaks when a person (or consultant) leaves the organization.

How it should be

Azure and Azure AD are mature solutions that include an identity and delegation model that works:

When third-party code runs against Azure or Microsoft 365 resources, a service principal is the way to go. It can’t be used interactively and it can be assigned and/or delegated API permissions.

When Microsoft services interact with other Microsoft services, the managed identity is the way to go. it’s tied to the Microsoft service and can be allowed access to only the Azure and Microsoft 365 resources it needs.

I'll admit this model isn't 100% in place today , but it’s getting there.

How it is

The Power Platform breaks with this entire model. It relies on user accounts for managing things and its delegation capabilities offer only standard functionality.

 

My opinion

I feel Power Platform’s Identity and Delegation model is out of this world. I feel Microsoft should introduce a mature identity and delegation model that aligns with the other products and services Microsoft offers.

0  

An Out of Band Update resolves the Authentication issues introduced by the May 10 2022 Windows Updates

Windows Repair

Ever since the news broke that the May 2022 Windows Updates cause Active Directory Authentication Failures in environments where certificate-based authentication is in use, many organizations have held off on installing these updates on their domain controllers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) even went as far as advising against installing the updates on domain controllers, despite these updates addressing an LSA Spoofing vulnerability (Important, CVE-2022-26925, CVSSv3 8.1-9.8) and 10 LDAP Remote Code Execution vulnerabilities (Critical, CVSSv3 8.8-9.8).

I feel not installing updates is a no-go. Therefore, based on the information provided by Arian van der Pijl, I audited some Active Directory environments using the following two lines of Windows PowerShell:

Get-ADComputer -Filter {altSecurityIdentities -Like "*"} -Properties altSecurityIdentities | Select sAMAccountName, altSecurityIdentities

Get-ADUser -Filter {altSecurityIdentities -Like "*"} -Properties altSecurityIdentities | Select sAMAccountName, altSecurityIdentities

That ruled out most organizations of having authentication issues, yet some customers were expecting some major issues. They had to wait for an update to address the issue before they could install the May 2022 Windows Updates.

Out of Band Update

Today, Microsoft released Windows Updates to address the issue issue that causes the authentication failures for some services on a server or client after you install the May 10, 2022 update on domain controllers. These services include:

The issue affects how the domain controller manages the mapping of certificates to machine accounts. This issue only affects servers that are used as domain controllers.

The following updates are available:

Concluding

Admins for environments with domain controllers who (fear they) are affected by the authentication issues caused by the May 10th, 2022, Windows Updates or have rolled back the May 10th, 2022, Windows Updates may install these updates, followed by the out of band updates above.

0  

I’m speaking at NIC X

For its tenth edition, the annual Nordic Infrastructure Conference (NICConf) has invited Raymond Comvalius and me to deliver a session again. It’s our sixt edition of this fantastic event and we’re looking forward to it!

About the Nordic Infrastructure Conference

The Nordic Infrastructure Conference (NICConf) provides IT and business professionals with unmissable networking and learning experiences from the leading Global IT experts.

NIC is the industry’s foremost collaboration and learning event offering global best in class content and structure, delivered by some of the leading technical IT speakers in the world. The main focus is on Cloud technology, automation & management, security, client & server, collaboration and productivity & analytics.

NICConf will be hosted for the seventh time from May 31st to June 2nd, 2022. Its location will be the Oslo Spektrum in the heart of Oslo, Norway, again.

About our session

Raymond and I deliver a 60-minute session:

Properly securing Azure AD Connect and Azure AD Connect Cloud Sync

Wednesday June 1st, 4PM – 5PM CEST, Room 6

You’ve probably heard of the Active Directory tiering model and the ways to hack Azure AD Connect’s database. Running Azure AD Connect and Azure AD Connect Cloud Sync in a highly-secure networking environment with proxies and high-availability requirements.

Join Raymond Comvalius and me in this session to learn how to implement Azure AD Connect Sync or Azure AD Connect Cloud Sync in a secure way and how to monitor and audit it for proper security. Even when you’re not a security professional, you’ll find that the demos in this session make perfect sense.

Join us!

RELATED BLOGPOSTS

Pictures of the 2020 Nordic Infrastructure Conference     
I’m speaking at the 2020 Nordic Infrastructure Conference      
Pictures of NIC Future Edition     
I’m speaking at NIC Future Edition  
Pictures of the 2017 Nordic Infrastructure Conference in Oslo last week
I’m speaking at the 2017 Nordic Infrastructure Conference
Pictures of the 2015 Nordic Infrastructure Conference
I will be speaking at Nordic Infrastructure Conference 4th Edition
Pictures of the 2014 Nordic Infrastructure Conference
I will be speaking at NIC 2014

0  

Identity-related sessions at Microsoft Build 2022

Microsoft Build 2022

Microsoft organizes Microsoft Build 2022 as a free digital event between Monday May 24th 5 PM CEST and Thursday May 26th 11 AM CEST.

Microsoft Build is Microsoft’s annual conference event, aimed at software engineers and web developers using Windows, Microsoft Azure and other Microsoft technologies. First held in 2011, it serves as a successor for Microsoft's previous developer events, the Professional Developers Conference (PDC) and MIX.

During Build 2022, you can enjoy the following general and Identity-related sessions:

On demand sessions

ODBRK04 Build the SOC of the future with the Azure AD Identity Protection APIs

Speakers: Etan Basseri and Sarah Handler

Your security operations center ingests lots of data, but how can you pinpoint the most important identity-based attacks? Using Azure AD Identity Protection's API collections, you can identify risky users and workload identities, view details on risk detections, and even dismiss risk or confirm compromised accounts. In this session you will learn how easy it is to use our API collections to manage identity risk directly from the tool of your choice.

OD120 More secure, and resilient, apps built on Azure AD Continuous Access Evaluation

Speaker: Kyle Marsh

Continuous Access Evaluation, CAE, allows access to an API, resource, protected by Azure AD to be revoked in near real time. Instead of a fixed time-based access, CAE access can be based on security events like the user's password changing, MFA being applied, or even the user changing their location. In this session we will demonstrate building a client app with CAE support. We also discuss the evolution of CAE going forward.

Break-out Sessions

BRK105 Creating secure identities for apps using the Microsoft identity platform

Speakers: Saeed Akhter and Nick Gomez
Date: Wednesday, May 25 6PM – 6:35PM CEST

A key to creating secure apps is managing the identities in those apps.  Users must feel confident that the apps they use, manage identities for authentication and authorization securely.  That’s where the Microsoft identity platform can help, and it is designed to make managing identities easier with standards compliant authentication, open-source libraries, and application management tools.  Attend this session to discover how to add authentication to your app, learn about delegated permissions, and understand application permissions.

Product Roundtables

PRT152 Let's make secrets invisible for Developers

Speakers: Varun Karandikar, Jack Lichwa, Eoin Shanley and Rajeev Vijan
Date: Wednesday, May 25 5PM – 6PM CEST

Secrets are like radioactive materials. They must be handled with extreme care. No one should be managing them. In this session, we will discuss how we’re on a mission to make secrets invisible to the developers with technologies like Managed Identities on Azure resources, Azure Key vault and workload identity federation.

PRT 153 Improvements to the Azure Active Directory application model and API

Speakers: Suresh Jayabalan and Philippe Signoret
Date: Wednesday, May 25 6PM – 7PM CEST

We are looking to improve the Azure AD application model. If you're a ISV/developer experienced with registering applications or an admin managing application instances (i.e. service principals) in your tenant, and you want to provide feedback on the next generation application model, we'd love to work with you and learn your pain points to shape up the v.Next of the application model and API.An Azure AD application is defined by its application object, which resides in the Azure AD tenant where the application was registered. As a developer, you've used the Azure App registrations portal or the Microsoft Graph application API to register and configure application objects. You may have encountered specific issues such as the inability to group programs or the addition of non-identity configurations. In every tenant where the application is used, a service principle is created. As an administrator, you manage apps in your tenant by configuring service principals in your tenant, such as assigning users to the apps.If this resonates with you, we would love to talk to you!!We are in the very early stage of evolving the application model and we would love to talk to the developer audience at //build to get your thoughts.

0  

The May 2022 Windows Updates may cause Active Directory Authentication Failures

The May 2022 updates for all supported versions of Windows Server may cause Active Directory authentication failures. Microsoft is investigating the issue. A workaround is available for organizations experiencing issues.

The situation

The Windows updates of May 10th, 2022, address several vulnerabilities on Domain Controllers, including several of the ten LDAP Remote Code Execution vulnerabilities (CVSSv3 9.8) and an zero-day LSA Spoofing vulnerability (Important, CVE-2022-26925, CVSSv3 8.1-9.8). Another vulnerability addressed in these updates is CVE-2022-26923 (discovered by security researcher Oliver Lyak and dubbed Certifried).

Microsoft has urged Active Directory admins to update Domain Controllers as soon as possible.

The updates were released for all supported Windows Server versions:

  1. KB5014010 or KB5014006 for Windows Server 2008
  2. KB5014012 or KB5013999 for Windows Server 2008 R2
  3. KB5014017 or KB5014018 for Windows Server 2012
  4. KB5014011 or KB5014001 for Windows Server 2012 R2
  5. KB5013952 for Windows Server 2016
  6. KB5013941 for Windows Server 2019
  7. KB5013944 for Windows Server 2022

However, when the May 2022 Windows updates are installed on Domain Controllers relying on certificate authentication, authentication failures may occur.

The issue

Admins are sharing reports that they are experiencing errors:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.

The cause

The Windows updates of May 10th, 2022, when installed on domain controllers cause these issues, as described by Microsoft in KB5014754

CVE-2022-26931 and CVE-2022-26923 address elevation of privilege (EoP)vulnerabilities that may occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. Before the May 10th, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between userPrincipalName and sAMAccountName attributes introduced other emulation (spoofing) vulnerabilities that Microsoft also addressed with this security update.

When an administrator installs the May 10, 2022 Windows updates, devices will be in compatibility mode for the measures:

  1. If a certificate can be strongly mapped to a user, based on the X509IssuerSerialNumber, X509SKI or X509SHA1PublicKey mappings for the altSecurityIdentities attribute, authentication will occur as expected.
  2. If a certificate can only be weakly mapped to a user, based on the X509IssuerSubject or X509SubjectOnly mappings for the altSecurityIdentities attribute, authentication will occur as expected. However, a warning will be logged unless the certificate is older than the user. If the certificate is older than the user, authentication will fail, and an error will be logged.

Microsoft updates all devices to full enforcement mode for these measures by May 9, 2023.

The workaround

The May 2022 Windows updates set the StrongCertificateBindingEnforcement registry key in HKLM\SYSTEM\CurrentControlSet\Services\Kdc, which changes the enforcement mode of the Kerberos Distribution Center (KDC) to compatibility mode. While setting this registry key manually to 0 alleviates the encountered errors, it does not address the vulnerability. Also, Microsoft removes the registry key and its functionality on February 14th, 2023.

While Microsoft is working on a solution, Active Directory admins can use a workaround by manually mapping certificates to users in Active Directory using the altSecurityIdentities attribute of the user’s object. For more information use the information in HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute on Microsoft Docs.

1  

I’m speaking at Techorama Belgium 2022

Techorama Belgium 2022

I’m proud to share that I’ll be presenting at Techorama Belgium for the fourth time as an accepted speaker for Techorama Belgium 2022.

About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes 1700 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

Techorama Belgium 2022 is held from May 23, 2022 to May 25, 2022 and includes awesome keynotes and sessions by Richard Campbell, John Craddock, Peter Daalmans, Ronny de Jong, Johan Delimon, Barbara Forbes, Luise Freese, Martina Grom, Rasmus Hald, Robert Hedblom, Pim Jacobs, Tom Janetscheck, Wim Matthyssen, Aleksandar Nikolic, Mustafa Toroman, Kenneth van Surksum, Sam Vanhoutte, Dieter Wijckmans and many others.

About my session

I’m presenting a 60-minute session as part of the Modern Workplace track:

Windows Hello for Business Hybrid Access: How Does It Work Under The Covers?

Wednesday May 25, 2022 1:45PM-2:45PM, Room 1

As weak, stolen and cracked passwords are at the root of 80% of cybersecurity incidents, Passwordless has the potential to change the world.

Under the covers, Windows Hello for Business, Microsoft's Passwordless solution, has already changed the authentication paradigm for Active Directory. Regardless of the device being domain-joined, hybrid Azure AD-joined or Azure AD-joined, you can access organizational resources without specifying credentials.

In this session, I’ll explain how Windows Hello works in all three scenarios and what you need to get it going for your organization.

Join us!

Techorama Belgium 2022 offers tickets for the workshops on May 23rd, the sessions on May 24th and May 25th and combi tickets for both. You can buy tickets here.

FURTHER READING

Identity-related sessions at Techorama Belgium 2021 Spring Edition   
Pictures of Techorama Belgium 2019 
I’m speaking at Techorama Belgium 2019 
Pictures of Techorama Belgium 2018
I’m speaking at Techorama Belgium 2018
Pictures of Techorama 2017
I’m speaking at Techorama Belgium 2017

0  

The May 2022 Patch Tuesday addresses an LSA Spoofing vulnerability (Important, CVE-2022-26925, CVSSv3 8.1-9.8)

Windows Server

When looking at the May 2022 Patch Tuesday today, I noticed an update that specifically addresses an LSA Spoofing vulnerability. This vulnerability is specific to Domain Controllers (in the default configuration), so this sparked my interest in the update.

About the vulnerability

A spoofing vulnerability exists in the Windows Local Security Authority (LSA). This vulnerability is described in detail in CVE-2022-26925.

To exploit this vulnerability, an unauthenticated attacker could call a method on the LSARPC interface and coerce the Domain Controller to authenticate to the attacker using NTLM. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is commonly referred to as a Meddler-in-the-Middle (MitM) attack.

As the Common Vulnerability Scoring System (CVSS) v3 score of this vulnerability is 8.1/7.1, but the combined CVSS score would be 9.8, when this vulnerability is chained with the NTLM Relay Attacks on Active Directory Certificate Services (AD CS) outlined in KB5005413.

Raphael John with Bertelsmann Printing Group responsibly disclosed this vulnerability to Microsoft.

About the update

The update detects anonymous connection attempts in LSARPC and disallows it. Additionally, Microsoft recommends following the information in ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to further protect the AD CS environment.

Affected Operating Systems

Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.

CVE-2022-29130 and CVE-2022-22012 are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

CVE-2022-29131 only applies to Domain Controllers running Windows Server 2019, Windows Server, version 20H2 and Windows Server 2022.

Known Issues

When installing this update on Domain Controllers and running backups from systems running Windows Server 2008 (with Service Pack 2) and Windows Server 2008 R2, the backup software will break.

Microsoft recommends to contact the manufacturer of your backup software for updates and support, after installing the updates that address this vulnerability

 

Call to Action

I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.

0  

The May 2022 Patch Tuesday addresses 10 LDAP Remote Code Execution vulnerabilities (Critical, CVSSv3 9.8)

Windows Server

When looking at the May 2022 Patch Tuesday today, I noticed ten updates that specifically address Remote Code Execution (RCE) vulnerabilities in Windows LDAP. These vulnerabilities are specific to Domain Controllers (in the default configuration), so this sparked my interest in these updates.

Ten Windows LDAP RCE vulnerabilities

Ten Windows LDAP remote code execution vulnerabilities were addressed:

  1. CVE-2022-22012 Windows LDAP Vulnerability (CVSSv3 9.8/8.5)
  2. CVE-2022-22013 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  3. CVE-2022-22014 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  4. CVE-2022-29128 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  5. CVE-2022-29129 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  6. CVE-2022-29130 Windows LDAP Vulnerability (CVSSv3 9.8/8.5)
  7. CVE-2022-29131 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  8. CVE-2022-29137 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  9. CVE-2022-29139 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
  10. CVE-2022-29141 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)

These vulnerabilities all allow remote code execution on Domain Controllers over the network. For most of the above vulnerabilities, the  attacker or targeted user would need an authenticated normal user account. The attacker would send a specially crafted request to a vulnerable Domain Controller. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

As the Common Vulnerability Scoring System (CVSS) v3 score of two of these vulnerabilities is 9.8/8.5, the May 2022 cumulative update can be considered a Critical update for Domain Controllers.

Affected Operating Systems

Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.

CVE-2022-29130 and CVE-2022-22012 are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

CVE-2022-29131 only applies to Domain Controllers running Windows Server 2019, Windows Server, version 20H2 and Windows Server 2022.

Call to Action

I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.

0