Microsoft issued a security advisory on two Active Directory vulnerabilities addressed in the November 2021 Patch updates on Monday, advising customers to apply the patches as soon as possible to avoid potential compromise.
The two security flaws, identified as CVE-2021-42287 and CVE-2021-42278, can be linked to impersonate domain controllers and acquire administrator access on Active Directory.
Proof-of-concept code exploiting the two weaknesses has been available for more than a week, and Microsoft is issuing a warning to businesses about the possibility of hostile attacks, as well as a guide to help them spot unusual behavior involving the flaws.
“An attacker can establish a clear path to a Domain Admin user in an Active Directory system that hasn’t deployed these latest patches by combining these two vulnerabilities.” Once an attacker has compromised an ordinary user in the domain, this escalation approach allows them to easily elevate their privilege to that of a Domain Admin,” Microsoft explains.
CVE-2021-42278 is a security bypass vulnerability that allows attackers to impersonate a domain controller by impersonating the computer account sAMAccountName.
According to Microsoft, sAMAccountName attributes normally contain a “$” at the end of their names to help distinguish between user and computer objects. A typical user “has authorization to alter a machine account (up to 10 machines) and, as its owner, they also have the permissions to edit its sAMAccountName property” as a result of the flaw, according to Microsoft.
CVE-2021-42287 is a security bypass problem that affects the Kerberos Privilege Attribute Certificate (PAC), which can be used to impersonate domain controllers. As a result of the vulnerability, the Key Distribution Center (KDC) generates service tickets with higher power levels than the domain account’s.
Ticket-Granting-Ticket (TGT) and Ticket-Granting-Service (TGS) are requested from KDC during Kerberos authentication. KDC would append a trailing $ to the account for which TGS was requested if it could not be found.
“For example, if a domain controller has the SAM account name DC1$, an attacker may create a new machine account and rename its SAM account name to DC1, request a TGT, rename it for a different name, and request a TGS ticket, presenting the TGT he has in his hands,” Microsoft explains.
As a result, if the DC1 lookup fails, the KDC will try to locate the machine trailing $ and “issue the ticket using the privileges of DC1$.”
Combining the two vulnerabilities and exploiting them to get domain admin capabilities is possible if an attacker has domain user credentials.
By detecting irregular device name changes and comparing them to a list of domain controllers in the target environment, Microsoft has developed a guide to help companies spot any suspicious behavior connected to the exploitation of these vulnerabilities.
“As always, we strongly recommend applying the most recent updates to domain controllers as soon as possible,” Microsoft says.
The issue was leveraged by unidentified advanced persistent threat (APT) actors to install a web shell on the server in the threat activity recorded by the FBI. The shell was then used by the APT actors to infect the server with further malware and remote access tools.
The business issued an out-of-band upgrade on November 14 to address a number of non-security concerns that arose as a result of the November 9 security updates.
The earlier spoofing vulnerabilities include the CVE-2021-43890, CVE-2021-43215, and the CVE-2021-43899. The current batch lowers the total CVE count this year to 887, down nearly 30% from 2020, according to data maintained by vulnerability broker ZDI.