3 Steps to Mitigate Two Recent Active Directory Domain Service Privilege Escalation Security Flaws
After releasing security patches for two Active Directory vulnerabilities during Patch Tuesday in November 2021, Microsoft urged customers on December 20 to apply the patches immediately to prevent attackers from taking over Windows domains. In addition to patching, organizations can strengthen their defenses against attacks by taking a few actions that will help prevent unauthorized creation of accounts that can lead to elevation of privilege and attack.
A look behind the scenes of CVE-2021-42278 and CVE-2021-42287
November 9e, 2021, Microsoft released four CVEs related to security issues in Active Directory and attributed them to Andrew Bartlett. The common theme for three of these security updates seems to involve validating the uniqueness of certain attributes of AD objects and verifying that no threads cross when issuing Kerberos tickets, leading to the issuance of bad principal or bad service tickets.
While many in the infosec community have speculated that exploiting these issues would involve unreliable race conditions or other extreme cases, security researchers Charlie clark and Ceri Coburn published an article demonstrating how CVE-2021-42278 can be abused to reliably elevate default privileges in any domain / forest, and even in cross-forest trusts in specific configurations.
Prior to this security update, no application required that the sAMAccountName attribute of computer / service accounts end with a dollar sign ($), allowing accounts with the same name as the accounts to exist. privileged, such as domain controller, except for the trailing dollar sign.
Charlie and Ceri discovered that an attacker could request a Kerberos Ticket Granting Ticket (TGT) for an account with the same sAMAcountName as a domain controller (except for the trailing dollar sign) and then modify the sAMAccountName attribute of this account. The attacker’s TGT would still be valid, despite the modification of the sAMAccountName attribute of the account.
Now, attacker could call the S4U2Self Kerberos extension to obtain a Kerberos service ticket for any arbitrary user, including privileged users, such as members of the Domain Admins group, for the service associated with the attacker’s TGT. . The domain controller would attempt to issue the ticket to a service associated with the account name on the TGT without the dollar sign. When the domain controller cannot find this account because its sAMAccountName attribute has changed, it looks for a service associated with the name on the TGT with a dollar sign at the end and finds the domain controller’s account. As a result, the domain controller would reliably issue a ticket for the privileged user to the domain controller and send it to the attacker.
Even though a feature of the Kerberos Constrained Delegation Extension is abused in this attack (S4U2Self), adding all privileged accounts to the Protected Users group or setting them as sensitive for delegation would not mitigate the risk. because these security checks only affect S4U2Proxy.
Although this attack requires write privileges to the sAMAccountName attribute of an account that has at least one Service Principal Name (SPN), by default all authenticated users can create up to ten new computer accounts. in the domain, allowing them to “bring their own computer account” and exploit this vulnerability.
Note that the Authenticated Users group includes foreign users from other forests with an appropriate trust relationship, which means that, in the default configuration, attackers can create a computer account in a trust forest and run the attack in this forest as well, breaking another security. frontier.
How to Mitigate CVE-2021-42278 and CVE-2021-42287
To prevent attacks that exploit CVE-2021-42278 and CVE-2021-42287, I strongly recommend three actions:
- Immediately install the fixes (CVE-42287 and CVE-422278)
- Change the value of the MSDS-MachineAccountQuota attribute to zero
- Apply the principle of least privilege to the assignment of user rights entitled “Add workstations to the domain” (SeMachineAccountPrivilege)
This course of action will help prevent the unauthorized creation of computer accounts and raise the bar for executing this attack, along with several other attacks that require a computer account or an account with an SPN.
The article 3 Steps to Mitigate Two Recent Active Directory Domain Service Privilege Escalation Security Flaws appeared first on Semperis.
*** This is a syndicated Security Bloggers Network blog from Semperis and written by Elad Shamir. Read the original post at: https://www.semperis.com/blog/mitigating-active-directory-domain-service-privilege-escalation-security-flaws/