Microsoft warns against Active Directory domain takeover due to unpatched vulnerabilities

Windows[German]Microsoft warned of a new threat in a Techcommunity post on December 20, 2021. In November 2021 patchday, vulnerabilities CVE-2021-42287 and CVE-2021-42278 were fixed by Windows updates. Since December 2021, a proof of concept (PoC) has been available that abuses these vulnerabilities to take over an Active Directory domain. Here's some information – and at the same time I can help cover a topic that has been awaiting publication here for a few days.

Microsoft warns against Active Directory domain takeover due to unpatched vulnerabilitiesThe topic has been on the agenda since December 10/11, 2021, because that's when a PoC for vulnerabilities CVE-2021-42287 and CVE-2021-42278 was published. The following tweet addresses the whole thing in a nutshell:

CVE-2021-42287 and CVE-2021-42278

CVE-2021-42287 / CVE-2021-42278 ermöglicht DC-Übernahme

CVE-2021-42287 / CVE-2021-42278 allows DC takeover
On December 20, 2021, Microsoft brought it up again in the Techcommunity post SAM Name impersonation, noting that vulnerabilities CVE-2021-42287 and CVE-2021-42278 were closed by security updates in November 2021. The combination of these two vulnerabilities can allow an attacker to create a domain administrator user in an Active Directory environment. It is enough to compromise a normal user in the domain to gain the privileges of a domain administrator.

The problem with the November 2021 Windows security updates was that they caused massive problems with synchronization with domain controllers. I had reported, among other things, in the blog post November 2021 Patchday issues: WSUS, DC, Events. Microsoft had to release special updates to catch it (see Windows 10/Windows Server: Out-of-band updates fixes DC authentification error (2021/11/14)). This may have resulted in systems still running without these updates.

In the Techcommunity post SAM Name impersonation , Microsoft notes that a proof-of-concept (PoC) exploiting these vulnerabilities has been published since December 12, 2021. Administrators are urged to immediately install updates KB5008102, KB5008380, and KB5008602 to protect their domain controllers.

The Techcommunity post outlines the impact of the two vulnerabilities. In addition, the post also includes step-by-step instructions to find out if a machine is already compromised. The colleagues at Bleeping Computer summarized it again in this post, which made the topic slide up my agenda once again. In addition, Mauricio Velazco posted Hunting for samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287) on Medium about the issue and points it out in the following tweet.

CVE-2021-42278 & CVE-2021-42287

Enable Enforcement Mode

I still had this topic since weeks on my agenda, because a Microsoft note which becomes relevant again with the above text. In this document about update KB5008380, Microsoft writes:

After installing Windows updates dated November 9, 2021 or later, PACs will be added to the TGT of all domain accounts, including those that previously rejected PACs.

To protect an environment with a domain controller and avoid outages, administrators must keep the following data in mind or take the following steps:

  • Update all devices hosting the Active Directory Domain Controller role to the November 9, 2021 update.
  • After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, Microsoft strongly recommends enabling enforcement mode on all Active Directory domain controllers.

Those who miss the second step or are not yet able to enable it should know that starting with the July 12, 2022 enforcement phase update, enforcement mode will be enabled on all Windows domain controllers and will then be required. The 7 day grace period mentioned above may come from the observation, that the first days some events will be logged – but later the DC shall calm down.

Addendum: There are issues with Enforcement Mode, if Linux clients shall join a DC – see Linux: Microsoft recommendation on enforcement mode against Active Directory takeover may cause issues

Similar articles
Patchday: Windows 10-Updates (November 9, 2021)
Windows 10/Windows Server: Out-of-band updates fixes DC authentification error (2021/11/14)
November 2021 Patchday issues: WSUS, DC, Events

This entry was posted in Security, Update, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *