{"id":7474,"date":"2021-12-27T19:04:56","date_gmt":"2021-12-28T02:04:56","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7474"},"modified":"2023-04-11T10:20:35","modified_gmt":"2023-04-11T17:20:35","slug":"patch-now-two-microsoft-active-directory-bugs-chained-to-takeover-windows-domain","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/patch-now-two-microsoft-active-directory-bugs-chained-to-takeover-windows-domain\/","title":{"rendered":"Patch Now: Two Microsoft Active Directory Bugs Chained to Takeover Windows Domain"},"content":{"rendered":"<p>Microsoft released a <a href=\"https:\/\/threatpost.com\/active-directory-bugs-windows-domain-takeover\/177185\/\" target=\"_blank\" rel=\"noopener\">statement<\/a> to its customers to patch two Active Directory domain controller bugs following the release of the <a href=\"https:\/\/github.com\/WazeHell\/sam-the-admin\" target=\"_blank\" rel=\"noopener\">proof-of-concept<\/a> on December 11.<\/p>\n<p dir=\"ltr\">The vulnerabilities, tracked as<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-42287\" target=\"_blank\" rel=\"noopener\"> CVE-2021-42287<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-42278\" target=\"_blank\" rel=\"noopener\">CVE-2021-42278<\/a>, can be chained to gain privileges that lead to an easy Windows domain takeover.<\/p>\n<p dir=\"ltr\">The two vulnerabilities allow an adversary with low-privileged domain user credentials to obtain a <a href=\"https:\/\/medium.com\/@mvelazco\/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45\" target=\"_blank\" rel=\"noopener\">Kerberos Service Ticket<\/a> for a Domain Controller computer account, thereby allowing a normal user to control a domain controller. The flaw, according to Microsoft, stems from a KDC misconfiguration that allows any computer account to impersonate AD domains.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 800px; height: 227px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/microsoft-ad.png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\">Historically, it has been previously observed that Active Directory is extremely difficult to secure. Windows Active Directory servers played a part in the <a href=\"https:\/\/cybersecurityworks.com\/blog\/vulnerabilities\/solarwind-attackers-at-it-again-in-back-to-back-campaigns.html\" target=\"_blank\" rel=\"noopener\">SolarWinds attacks<\/a> where the servers were hit by the FoggyWeb backdoor.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"#Detection\">Get CSW\u00a0script to detect\u00a0Windows Active Directory\u00a0bugs here<\/a><\/p>\n<h2 dir=\"ltr\"><strong>How dangerous are these two vulnerabilities?<\/strong><\/h2>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2021-42287, an elevation of privilege vulnerability, affecting Windows Active Directory servers, has been assigned a CVSS v3 score of 8.8 (high) and the weakness enumeration, CWE-269, which leads to Improper Privilege Management.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2021-42278, on the other hand, is a security bypass escalation of privilege vulnerability with the potential to let attackers impersonate domain controllers using <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\" target=\"_blank\" rel=\"noopener\">sAMAccountName spoofing<\/a> techniques. CVE-2021-42278 has a CVSS v3 score of 8.8 (high) and is also pegged as an Improper Privilege Management software weakness (CWE-269).<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Attackers can use a vulnerability-chaining method to create a direct path to a domain admin user in any unpatched Active Directory environment, thereafter, allowing the full takeover of the machine.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A <a href=\"https:\/\/github.com\/WazeHell\/sam-the-admin\" target=\"_blank\" rel=\"noopener\">proof-of-concept (PoC) tool<\/a> that can be used to exploit the bug was released publicly on GitHub, a few weeks after Microsoft released the Patch Tuesday Update for November 2021.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Google Trends for most searches for CVE-2021-42287 between December 16-23 reveals it is trending in China, Switzerland, Israel, Austria, and Germany.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 174px; width: 700px;\" src=\"https:\/\/lh6.googleusercontent.com\/ydUm9ZzSv_Mo_n4oOMftF6Hro_W5K_nehysA3vIm2j6EiuW5zxy2Po_7mBM6lhebb63d8uXQkRnoi0XQ3ckabBI6SG-WOaycCccVWCC4WSa21hCOAj_trLhPQJgnA5ONoyiHAQaF\" \/><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Similar search trends between December 16-23 for CVE-2021-42278 show a high number of searches in China with a lesser number of counts for Germany, Switzerland, Taiwan, and Denmark.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 199px; width: 700px;\" src=\"https:\/\/lh5.googleusercontent.com\/EMd9mAil0GX66Z_X8VrO-uT8FZfaJbSyv1o9hoNmVLUmLq82nWZdhQZiXFno_HGqYVjXUQHLXVE5r1YjCpSiZ919Ac-VFAqBruUg4_BbdXwRLmkcG7HIjAesTh19slJKMdqTCT_P\" \/><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The patches for the two vulnerabilities were published in the <a href=\"https:\/\/cybersecurityworks.com\/patchwatch\/november-microsoft-patches-55-security-vulnerabilities.html\">November 2021 Patch Tuesday<\/a> release put out by Microsoft.<\/p>\n<\/li>\n<\/ul>\n<h2 dir=\"ltr\"><strong>How does the exploit work?<\/strong><\/h2>\n<p dir=\"ltr\"><strong>Our security analysts took a deeper look at how the vulnerabilities affect the Active Directory server. Here is their analysis:<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">All computer accounts usually have a trailing $ in their sAMAccountName attribute. However, since no validation processes exist to make sure of it, CVE-2021-42278 can be leveraged to allow attackers to impersonate domain controller accounts.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2021-42287 comes in when requesting a Kerberos Service Ticket. Before one can request a Service Ticket, a Ticket Granting Ticket (TGT) is required by the Key Distribution Center (KDC). When the KDC is unable to find the requested service ticket, it automatically searches for a machine name with the trailing $. If a user is removed after obtaining the TGT, the user can request a service ticket meant for another user for himself by leveraging the obtained TGT, resulting in the KDC looking for user$ in Active Directory. If the domain controller account user$ exists, then the user basically obtained a service ticket for the domain controller account thereby completing the impersonation loop.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><strong>Successful exploitation of the Windows Active Directory domain server would require the following steps:<\/strong><\/p>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Add a new machine account to the domain.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Rename the new machine account to match the sAMAccountName of an existing domain controller (without the \u2018$\u2019 that all computer names usually have)<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 346px; width: 500px;\" src=\"https:\/\/lh6.googleusercontent.com\/DgyVZMAFWbE9sdvmiEhBM5_BggBXBzoZ3ZtIdl3bkAVUOwH3SlynmD5CB7kDKNttofPzuNk2y5mZ6rRlm0w1SxiY_S9ua2-HcTU1XUyEB1yd9oJlBrM9S8AwyS0oc2JEg0FUP_0h\" \/><\/p>\n<ol start=\"3\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Request a Kerberos TGT using the updated machine account name.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Rename the new machine account once again to its original value or any other name.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Use the S4U2self extension to request a Kerberos Service Ticket.<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\">The complete exploitation process can be found <a href=\"https:\/\/exploit.ph\/cve-2021-42287-cve-2021-42278-weaponisation.html\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 367px; width: 500px;\" src=\"https:\/\/lh4.googleusercontent.com\/CJaLuEMIjyJeIuPWuxT7MWL2nqeCSv0w30L666vcLaSld0JdeU6fyF0j_HjS3NhLqvZ5iHBuNtP425GUe0Na9OZ59aWBs1oETo_BMH2gjINprSdM0JMkh8UC3HoDzgjOG4Bu9EeG\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Exploit of CVE-2021-42287 and CVE-2021-42278 in process<\/strong><\/p>\n<h2><a id=\"Detection\" name=\"Detection\"><\/a>Detection<\/h2>\n<p dir=\"ltr\">CSW pentesters have provided a <a href=\"https:\/\/github.com\/cybersecurityworks553\/noPac-detection\">script<\/a> below to help detect any potential compromise of an unpatched Windows AD Domain server.<\/p>\n<div id=\"code_area\">\n<p>#!\/usr\/bin\/env python<br \/>\nfrom __future__ import division<br \/>\nfrom __future__ import print_function<br \/>\nimport argparse<br \/>\nimport logging<br \/>\nimport sys<br \/>\nfrom binascii import unhexlify<\/p>\n<p>from impacket import version<br \/>\nfrom impacket.examples import logger<br \/>\nfrom impacket.examples.utils import parse_credentials<br \/>\nfrom impacket.krb5 import constants<br \/>\nfrom impacket.krb5.kerberosv5 import getKerberosTGT<br \/>\nfrom impacket.krb5.types import Principal<br \/>\nimport ldapdomaindump<br \/>\nimport ldap3<br \/>\nfrom getpass import getpass<\/p>\n<p>def TGT_size(options):<br \/>\ndomain, username, password = parse_credentials(options.credentials)<br \/>\nuserName = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)<br \/>\nlmhash = &#8221;<br \/>\nnthash = &#8221;<br \/>\ntgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, password, domain, unhexlify(lmhash), unhexlify(nthash),requestPAC=True)<br \/>\ntgt_2, cipher_2, oldSessionKey_2, sessionKey_2 = getKerberosTGT(userName, password, domain, unhexlify(lmhash), unhexlify(nthash),requestPAC=False)<\/p>\n<p># # Print TGT<br \/>\n# print (tgt)<br \/>\n# print(&#8220;_&#8221;*50)<br \/>\n# print(tgt_2)<\/p>\n<p>TGT_size, TGT_size_2 = len(tgt),len(tgt_2)<\/p>\n<p>print(&#8220;&lt;&#8220;*2+&#8221;-&#8220;*22+&#8221; TGT Size&#8221;+&#8221;-&#8220;*22+&#8217;&gt;&#8217;*2)<br \/>\nprint(f&#8221;[+] Length of TGT size with PAC: {TGT_size} \\n&#8221;)<\/p>\n<p>print(f&#8221;[+] Length of TGT size without PAC: {TGT_size_2} \\n&#8221;)<\/p>\n<p>if TGT_size == TGT_size_2:<br \/>\nprint( &#8220;[-] Not Vulnerable, PAC validated\\n&#8221;)<br \/>\nelse:<br \/>\nprint(&#8220;[!] Possbily vulnerable to CVE-2021-42287. \\n\\n[+] Apply Patches&#8221;)<br \/>\nprint(&#8220;&lt;&#8220;*3+&#8221;-&#8220;*51+&#8217;&gt;&#8217;*3)<\/p>\n<p># helper functions ldap connection<br \/>\ndef init_ldap_connection(target, tls_version, args, domain, username, password):<br \/>\nuser = &#8216;%s\\\\%s&#8217; % (domain, username)<br \/>\nif tls_version is not None:<br \/>\nuse_ssl = True<br \/>\nport = 636<br \/>\ntls = ldap3.Tls(validate=ssl.CERT_NONE, version=tls_version)<br \/>\nelse:<br \/>\nuse_ssl = False<br \/>\nport = 389<br \/>\ntls = None<br \/>\nldap_server = ldap3.Server(target, get_info=ldap3.ALL, port=port, use_ssl=use_ssl, tls=tls)<br \/>\nldap_session = ldap3.Connection(ldap_server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)<\/p>\n<p>return ldap_server, ldap_session<\/p>\n<p>def init_ldap_session(args, domain, username, password):<\/p>\n<p># if args.k:<br \/>\n# \u00a0 \u00a0 target = get_machine_name(args, domain)<br \/>\nif args.dc_ip is not None:<br \/>\ntarget = args.dc_ip<br \/>\nelse:<br \/>\ntarget = domain<br \/>\nreturn init_ldap_connection(target, None, args, domain, username, password)<\/p>\n<p>## checking MachineAccountQuota<br \/>\ndef Check_quota(options):<br \/>\ndomain, username, password = parse_credentials(options.credentials)<br \/>\ndc_ip = options.dc_ip<br \/>\nldap_server, ldap_session = init_ldap_session(options, domain, username, password )<br \/>\ncnf = ldapdomaindump.domainDumpConfig()<br \/>\ncnf.basepath = None<br \/>\ndomain_dumper = ldapdomaindump.domainDumper(ldap_server, ldap_session, cnf)<br \/>\nMachineAccountQuota = None<\/p>\n<p># Get domain policy<br \/>\ndd = domain_dumper.getDomainPolicy()<br \/>\nfor i in dd:<br \/>\nMachineAccountQuota = int(str(i[&#8216;ms-DS-MachineAccountQuota&#8217;]))<\/p>\n<p># print(&#8220;&lt;&#8220;*3+&#8221;-&#8220;*13+&#8221;Machine Account Quota &#8220;+&#8221;-&#8220;*13+&#8217;&gt;&#8217;*3)<br \/>\nprint(&#8220;&lt;&#8220;+&#8221;-&#8220;*16+&#8221; Machine Account Quota &#8220;+&#8221;-&#8220;*16+&#8221;&gt;&#8221;)<br \/>\n# print(f'[-] Machine Account Quota \u00a0&#8216;)<br \/>\nprint(f'[+] MachineAccountQuota = {MachineAccountQuota} \\n&#8217;)<\/p>\n<p>#Conditional check<br \/>\nif MachineAccountQuota &lt; 0:<br \/>\nprint(&#8220;[#] Not vulnerable \u00a0cannot proceed with Machine creation. \\n&#8221;)<br \/>\nelse:<br \/>\nprint(&#8220;[!] Possible Attack Vector, can be exploited further. \\n&#8221;)<\/p>\n<p># Process command-line arguments.<br \/>\nif __name__ == &#8216;__main__&#8217;:<br \/>\nlogger.init()<br \/>\nprint(version.BANNER)<\/p>\n<p>parser = argparse.ArgumentParser()<\/p>\n<p>parser.add_argument<br \/>\nparser.add_argument(&#8216;-debug&#8217;, action=&#8217;store_true&#8217;, help=&#8217;Turn DEBUG output ON&#8217;)<\/p>\n<p>group = parser.add_argument_group(&#8216;mandatory&#8217;)<br \/>\n## hashes are currently not supported<br \/>\n# group.add_argument(&#8216;-hashes&#8217;, action=&#8221;store&#8221;, metavar = &#8220;LMHASH:NTHASH&#8221;, help=&#8217;NTLM hashes, format is LMHASH:NTHASH&#8217;)<\/p>\n<p>group.add_argument(&#8216;-dc-ip&#8217;, action=&#8217;store&#8217;,required=True, metavar=&#8221;&lt;IP address&gt;&#8221;,<br \/>\nhelp=&#8217;IP of the domain controller to use. Useful if you can\\&#8217;t translate the FQDN.&#8217;<br \/>\n&#8216;specified in the account parameter will be used&#8217;)<br \/>\ngroup.add_argument(&#8216;-targetUser&#8217;, action=&#8217;store&#8217;, required=True,metavar=&#8221;&lt;Target Username&gt;&#8221;, help=&#8217;The target user to retrieve the PAC of&#8217;)<br \/>\ngroup.add_argument(&#8216;credentials&#8217;, action=&#8217;store&#8217;, help=&#8217;domain\/username[:password]. Valid domain credentials to use &#8216;<br \/>\n&#8216;for grabbing targetUser\\&#8217;s PAC \\n &#8216;)<\/p>\n<p>if len(sys.argv)==1:<br \/>\nparser.print_help()<br \/>\nsys.exit(1)<\/p>\n<p>options = parser.parse_args()<\/p>\n<p>domain, username, password = parse_credentials(options.credentials)<br \/>\ntarget_user = options.targetUser<br \/>\ndc_IP = options.dc_ip<br \/>\n# print(&#8220;&lt;&#8220;*3+&#8221;-&#8220;*20+&#8221; Input Values &#8220;+&#8221;-&#8220;*20+&#8217;&gt;&#8217;*3)<br \/>\nprint(f&#8221;[#] Input Values&#8221;)<br \/>\nprint(f&#8221;domain : {domain} \\nusername : {username} \\npassword: {password} \\ntarget_user: {target_user} \\ndc_ip : {dc_IP}&#8221;)<\/p>\n<p>if domain is None:<br \/>\ndomain = &#8221;<\/p>\n<p>if password == &#8221; and username != &#8221; and options.hashes is None:<br \/>\npassword = getpass(&#8220;Password:&#8221;)<\/p>\n<p>if options.debug is True:<br \/>\nlogging.getLogger().setLevel(logging.DEBUG)<br \/>\n# Print the Library&#8217;s installation path<br \/>\nlogging.debug(version.getInstallationPath())<br \/>\nelse:<br \/>\nlogging.getLogger().setLevel(logging.INFO)<\/p>\n<p>try:<br \/>\nprint(f&#8221;\\n[#] Initiating validations&#8230; \\n&#8221;)<br \/>\nCheck_quota(options)<br \/>\nTGT_size(options)<\/p>\n<p>except Exception as e:<br \/>\nif logging.getLogger().level == logging.DEBUG:<br \/>\nimport traceback<br \/>\ntraceback.print_exc()<br \/>\nlogging.error(str(e))<\/p>\n<\/div>\n<p dir=\"ltr\">We also looked into the scanner details to see if the vulnerabilities had been missed by any major scanners. Here are the findings:<\/p>\n<table style=\"width: 400px;\" border=\"1\" align=\"center\">\n<colgroup>\n<col \/>\n<col \/> <\/colgroup>\n<tbody>\n<tr>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Name of Scanner<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Plugin details<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Nexpose<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">msft-cve-2021-42278<\/p>\n<p dir=\"ltr\">msft-cve-2021-42287<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Nessus<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">CVE-2021-42287: 154996, 1544995, 154994, 154993, 154990, 154986, 154984, 154983; CVE-2021-42278: 154996, 1544995, 154994, 154993, 154990, 154986, 154984, 154983<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 110px;\">\n<p dir=\"ltr\">Qualys QID<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">91835 for CVE-2021-42278, CVE-2021-42287<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\"><strong>Vulnerable Product Versions<\/strong><\/h2>\n<p dir=\"ltr\">The product versions affected by the two vulnerabilities are listed in the table below with patch links.<\/p>\n<table style=\"width: 700px;\" border=\"1\" align=\"center\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/> <\/colgroup>\n<tbody>\n<tr>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>CVE ID<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Product Versions Affected<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Patch Links<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 125px;\">\n<p dir=\"ltr\">CVE-2021-42278<\/p>\n<\/td>\n<td style=\"width: 190px;\">\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2008:-:sp2 (All Versions)\u00a0 cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2012 (All Versions)\u00a0 cpe:2.3:o:microsoft:windows_server_2012:r2 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2016:-: (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2016:20h2 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2016:2004 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2019:-: (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2022:-: (All Versions)<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2021-42278\">https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2021-42278<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">CVE-2021-42287<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server:2004 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:x64:*<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2012 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2012:r2 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2016 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2019 (All Versions)<\/p>\n<p dir=\"ltr\">cpe:2.3:o:microsoft:windows_server_2022 (All Versions)<\/p>\n<\/td>\n<td style=\"width: 100px;\">\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2021-42287\">https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2021-42287<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\">Microsoft urged Windows admins to update all domain controllers using the information available in these knowledge-base articles:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\">KB5008102<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041\">KB5008380<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7\">KB5008602<\/a><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">There were no exposure counts available for the two CVEs on Shodan at the time this blog was written.<\/p>\n<h2 dir=\"ltr\"><strong>Patching these vulnerabilities should be a top priority for organizations.<\/strong><\/h2>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">With organizations scampering to fix the <a href=\"https:\/\/cybersecurityworks.com\/patchwatch\/cve-2021-44228-patch-apache-log4j-vulnerability-immediately.html\" target=\"_blank\" rel=\"noopener\">Apache Log4j vulnerabilities<\/a>, there is a chance that the Windows Active Directory security flaws may get overlooked.<\/p>\n<p>Since Windows domain administrators can usually modify configurations of Active Directory servers and any content stored there, including creation or deletion of users and\/or permissions, as well as control of authorization and authentication to Windows services, CVE-2021-42287 and CVE-2021-42278 are crucial vulnerabilities that require the immediate attention of organizational cybersecurity teams.<\/p>\n<p dir=\"ltr\">We urge all organizations to patch the vulnerabilities before the end of the year because CSW\u2019s experts predict that ransomware operators may use the publicly available proof-of-concept to install ransomware on every Windows machine in a target organization and carry out a fast-paced attack that could take down an entire organization at once.<\/p>\n<p>CSW\u2019s team of expert pentesters and security analysts can help you drive this remediation and gain cyber resilience through our Vulnerability Management services.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>CSW\u2019s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes,<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>and fixes vulnerabilities on your organizational infrastructure.\u00a0<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>\u00a0<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>To know more about CSW\u2019s Vulnerability Management as a Service (VMaaS),<\/strong><\/p>\n<p style=\"text-align: center;\"><strong>please <a href=\"https:\/\/cybersecurityworks.com\/services\/vulnerability-management-as-a-service\" target=\"_blank\" rel=\"noopener\">click here<\/a>.<\/strong><\/p>\n<p style=\"text-align: center;\">\n","protected":false},"excerpt":{"rendered":"<p>Two Active Directory bugs with vulnerability-chaining capabilities allow attackers to impersonate regular domain users to gain privileges and get access in unpatched Microsoft Windows Active Directory.<\/p>\n","protected":false},"author":1,"featured_media":7475,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[80,83,123],"tags":[279,425,427,150,93,426,424,428],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7474"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7474"}],"version-history":[{"count":5,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7474\/revisions"}],"predecessor-version":[{"id":17540,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7474\/revisions\/17540"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7475"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}