Active Directory Bugs Enable Windows Domain TakeoverMicrosoft Urges Customers to Apply Patches After Proof Of Concept Release
Microsoft is urging customers to apply patches issued in November for two Active Directory domain controller bugs, following publication of a proof-of-concept tool that leverages these bugs, which when chained can allow easy Windows domain takeover.
The vulnerabilities tracked as CVE-2021-42287 and CVE-2021-42278 allow threat actors to take over Windows domains. The flaws were fixed during the November 2021 Patch Tuesday, but a few weeks later, on Dec. 12, a proof-of-concept exploit leveraging these vulnerabilities was publicly disclosed (see: Patch Tuesday: Microsoft Fixes Zero-Day Spreading Malware).
"These two vulnerabilities allow attackers to take over Windows domains, and they would have had great repercussions had they emerged at another time. However, they were overshadowed by the Log4j attacks and could only find a place on the agenda when Microsoft issued an alert on Dec. 20," says Suleyman Ozarslan, co-founder of threat simulation firm Picus Security and vice president of Picus Labs.
Privilege Escalation Vulnerability
Both vulnerabilities are Windows Active Directory domain service privilege escalation vulnerabilities and are rated as critical, with a CVSS score of 7.5 out of 10, according to Microsoft.
The company recommends users deploy the latest available patches on the domain controllers as soon as possible. Microsoft’s research team has also published a query that can be used to identify suspicious behavior leveraging these vulnerabilities.
The query can help detect abnormal activities such as device name change, which it says occurs rarely, and compare them to a list of domain controllers in a customer environment.
"When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain," says Daniel Naim of Microsoft.
"The 'SAM Name impersonation and KDC bamboozling' vulnerabilities are particularly dangerous when combined - CVE-2021-42287 and CVE-2021-42278 - allowing an attacker a direct path to a Domain Admin user from a regular user. With Domain Admin access, the attacker has control of the environment, allowing them to modify access to different resources, effectively providing the attacker with free access and control of the machines and data in the organization," says Andy Kays, CEO at Socura, a managed threat detection and response firm.
Microsoft is urging customers to update the devices with the following knowledge bases: KB5008102, KB5008380, KB5008602.
The vulnerability tracked as CVE-2021-42278 provides a security bypass that allows an attacker to jack up privileges to become a domain admin by impersonating a domain controller using computer account sAMAccountName spoofing.
An Active Directory Security Accounts Manager, or SAM, is a database file in the operating systems that stores users' passwords and can be used to authenticate local and remote users.
Upon the installation of CVE-2021-42278, Active Directory performs validation inspections on the sAMAccountName and UserAccountControl attributes of computer accounts created or modified by users who do not have administrator rights for machine accounts.
"sAMAccountName attributes usually end with '$' in their name. Traditionally, this $ was used to distinguish between user objects and computer objects. It is important to mention there are no restrictions or validations for changing this attribute to include or not include the $ sign," Naim says. "With default settings, when the relevant patch is not applied, a normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName attribute."
The flaw tracked as CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate, or PAC, which allows attackers to impersonate domain controllers.
"When performing an authentication using Kerberos, Ticket-Granting-Ticket (TGT) and the following Ticket-Granting-Service (TGS) are being requested from the Key Distribution Center (KDC). In case a TGS was requested for an account that could not be found, the KDC will attempt to search it again with a trailing $," Microsoft says. "For example, if there is a domain controller with a SAM account name of DC1$, an attacker may create a new machine account and rename its SAM account name to DC1, request a TGT, rename it again for a different name, and request a TGS ticket, presenting the TGT he has in hand."
When processing this TGS request, however, the Key Distribution Center fails, and it falls to the requestor machine DC1, which the attacker had created.
"Therefore, the KDC will perform another lookup appending a trailing $. The lookup will succeed. As a result, the KDC will issue the ticket using the privileges of DC1$," Microsoft says. "Combining the two CVEs, an attacker with domain user credentials can leverage them for granting access as a domain admin user in a few simple steps."
How to Tell If Your Computer Has Been Compromised
"When a 10/10 critical vulnerability arises, security teams will stop whatever they are doing to address the urgent situation, but they must remember that different vulnerabilities may emerge in other products simultaneously. Attackers will use this distraction to their advantage and carry out additional attacks such as ransomware campaigns," Ozarslan says.
"These Microsoft Active Directory vulnerabilities are a reminder that cybersecurity is a continual process. The security community must look beyond Log4j and take steps to address these two important vulnerabilities as well as any other emerging threats in the weeks ahead," he says.
Kays says, "With a publicly availably POC exploit now available, it is a matter of time before this is actively used as a method of attack. Organizations should ensure they have the latest patches from Microsoft installed, and if they are behind in their patch cycle, we would recommend they check these exploits haven’t been used in their environment."
To determine if your environment was exploited before the fixes were deployed, Microsoft recommends taking the following steps:
- The sAMAccountName change is based on event 4662. Microsoft recommends enabling it on the domain controller to catch such activities.
- Open Microsoft 365 Defender and navigate to Advanced Hunting.
- Apply the query available in the Microsoft 365 Defender GitHub Advanced Hunting query.
- Replace the marked area with the naming convention of a domain controller.
- Run the query and analyze the results which contains the affected devices. Also, use Windows Event 4741 to find the creator of affected machines.
- Microsoft recommends investigating these compromised computers to determine that they haven’t been weaponized.
- Ensure devices are updated with the following KBs: KB5008102, KB5008380, KB5008602.