Pierluigi Paganini
December 21, 2021
Microsoft released an alert on a couple of Active Directory vulnerabilities, that have been fixed with the November 2021 Patch Tuesday security updates, that could allow threat actors to takeover Windows domains.
The flaws, tracked as CVE-2021-42287 and CVE-2021-42278, can be chained to impersonate domain controllers and gain administrative privileges on Active Directory.
Microsoft is now warning customers to address both issues immediately due to the public availability of Proof-of-concept exploit code. The IT giant also published a guide to help customers in detecting the attempts of exploitation of both issues.
“Both vulnerabilities are described as a ‘Windows Active Directory domain service privilege escalation vulnerability’.A few weeks later, on December 12, 2021, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.” states Microsoft. “When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”
The CVE-2021-42278 vulnerability is a security bypass issue that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
Experts pointed out that sAMAccountName attributes usually end with “$” in their name. “$” was used to distinguish between user objects and computer objects. With default settings, a normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName attribute.
The second bug, tracked as CVE-2021-42287, is a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.
The vulnerability results in the Key Distribution Center (KDC) creating service tickets with higher privilege levels than those of the domain account.
“To exploit this vulnerability, a compromised domain account might cause the Key Distribution Center (KDC) to create a service ticket with a higher privilege level than that of the compromised account. It accomplishes this by preventing the KDC from identifying which account the higher privilege service ticket is for.” states the guide.
Experts explained that an attacker with domain user credentials can chain the above flaws to gain domain admin privileges.
“As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible.” concludes Microsoft.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, IKEA)
[adrotate banner=”5″]
[adrotate banner=”13″]
