Active Directory Bugs Allow Windows Domain Takeover
Application Security, Governance and Risk Management, Incident and Breach Response
Microsoft urges customers to apply patches after proof of concept release
Prajeet Nair (@prajeetspeaks) •
December 22, 2021
Microsoft is urging customers to apply fixes released in November for two Active Directory domain controller bugs, following the release of a proof-of-concept tool that exploits these bugs, which, when chained, can allow a catch easy Windows domain control.
See also: Forrester Consulting Study: The Total Economic Impact™ of Guardicore, an Akamai Technologies Company
Vulnerabilities tracked as CVE-2021-42287 and CVE-2021-42278 allow hackers to take control of Windows domains. The flaws were fixed during the month of November 2021 Tuesday patchbut a few weeks later, on December 12, a proof-of-concept exploit exploiting these vulnerabilities was made public (see: Patch Tuesday: Microsoft fixes zero-day spreading malware).
“These two vulnerabilities allow attackers to take control of Windows domains, and they would have had great repercussions if they had appeared at any other time. However, they were overshadowed by the Log4j attacks and could only find a place on the agenda when Microsoft issued an alert on December 20,” says Suleyman Ozarslan, co-founder of threat simulation firm Picus Security and vice president of Picus Labs.
Privilege Escalation Vulnerability
Both vulnerabilities are Windows Active Directory Domain Service privilege escalation vulnerabilities and are classified as critical, with a CVSS score of 7.5 out of 10, according to Microsoft.
The company recommends that users deploy the latest available patches to domain controllers as soon as possible. The Microsoft research team has also released a query that can be used to identify suspicious behavior exploiting these vulnerabilities.
The query can help detect anomalous activity such as device renaming, which it says happens rarely, and compare it to a list of domain controllers in a customer environment.
“By combining these two vulnerabilities, an attacker can create a direct path to a domain administrator user in an Active Directory environment that has not applied these new updates. This escalation attack allows attackers to easily escalate their privilege to that of a domain administrator once they compromise a regular user of the domain,” says Daniel Naim of Microsoft.
“The ‘SAM Name spoofing and KDC bamboozling’ vulnerabilities are particularly dangerous when combined – CVE-2021-42287 and CVE-2021-42278 – allowing an attacker to directly access a domain administrator user from a regular user.With domain admin access, the attacker has control of the environment, allowing him to change access to different resources, giving the attacker free access and control of the machines and organizational data,” says Andy Kays, CEO of Socura, a managed threat detection and response company.
Microsoft urges customers to update devices with the following knowledgebases: KB5008102, KB5008380, KB5008602.
The vulnerability identified as CVE-2021-42278 provides a security bypass that allows an attacker to escalate privileges to become a domain administrator by impersonating a domain controller using domain spoofing. computer sAMAccountName.
An Active Directory Security Accounts Manager, or SAM, is a database file in operating systems that stores user passwords and can be used to authenticate local and remote users.
When installing CVE-2021-42278, Active Directory performs validation inspections on the sAMAccountName and UserAccountControl attributes of machine accounts created or modified by users who do not have administrator rights for machine accounts .
“sAMAccountName attributes usually end with ‘$’ in their name. Traditionally, this $ was used to distinguish between user objects and computer objects. It is important to mention that there are no restrictions or validations to modify this attribute to include or not include the $ sign,” says Naim. “With the default settings, when the corresponding patch is not applied, a normal user has permission to modify a machine account (up to 10 machines) and as the owner, he also has permissions to modify his sAMAccountName attribute.”
The flaw identified as CVE-2021-42287 fixes a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate, or PAC, which allows attackers to impersonate domain controllers.
“When performing authentication using Kerberos, Ticket-Granting-Ticket (TGT) and the following Ticket-Granting-Service (TGS) are requested from the Key Distribution Center (KDC). In the case a TGS was requested for an account that might not be found, the KDC will attempt to search for it again with a $ at the end,” Microsoft says. “For example, if there is a domain controller with an account name SAM from DC1$, an attacker can create a new machine account and rename their SAM account name to DC1, request a TGT, rename it again to a different name, and request a TGS ticket, presenting the TGT they have in hand.”
When processing this TGS request, however, the KDC fails and it falls to the requesting machine DC1, which the attacker had created.
“Therefore, the KDC will perform another search adding a trailing $. The search will succeed. As a result, the KDC will issue the ticket using the privileges of DC1$,” Microsoft explains. “By combining the two CVEs, an attacker with domain user credentials can exploit them to grant access as a domain admin user in a few simple steps.”
How to know if your computer has been compromised
“When a critical 10/10 vulnerability occurs, security teams stop everything they are doing to address the urgent situation, but they must remember that different vulnerabilities can appear simultaneously in other products. Attackers will use this distraction to their advantage and will perform additional attacks such as ransomware campaigns,” says Ozarslan.
“These Microsoft Active Directory vulnerabilities remind us that cybersecurity is an ongoing process. The security community must look beyond Log4j and take action to address these two significant vulnerabilities as well as any other emerging threats in the coming weeks,” he said.
Kays says, “With a publicly available POC exploit now available, it is only a matter of time before it is actively used as a method of attack. Organizations should ensure they have installed the Microsoft’s latest patches and if they are behind in their patch cycle, we recommend that they verify that these exploits have not been used in their environment.”
To determine if your environment was exploited prior to patch deployment, Microsoft recommends performing the following steps:
- The sAMAccountName change is based on event 4662. Microsoft recommends enabling it on the domain controller to intercept such activity.
- Open Microsoft 365 Defender and navigate to Advanced Hunting.
- Apply query available in the Microsoft 365 Defender GitHub Advanced Hunting Query.
- Replace the marked zone with the naming convention of a domain controller.
- Run the query and analyze the results containing the affected devices. Also use Windows event 4741 to find the creator of affected machines.
- Microsoft recommends investigating these compromised computers to determine that they have not been weaponized.
- Make sure the devices are updated with the following KBs: KB5008102, KB5008380, KB5008602.