On November 2021 Patch Tuesday Microsoft released patches to fix two vulnerabilities in Active Directory that can be exploited to gain administrative AD privileges if chained together. Microsoft explained that combining the vulnerabilities creates a straightforward path to a Domain Admin user in an Active Directory environment, first by compromising a regular user in the domain and then elevating privileges to admin.
Proof-of-concept exploit code for the two vulnerabilities – CVE-2021-42278 and CVE-2021-42287 – has been in the public domain for over a week and it is likely that the flaws will be exploited if the patches are not applied promptly. This week, Microsoft has urged customers to ensure these patches are prioritized and has also issued a guide that can be used by customers to identify attempts by threat actors to exploit the flaws.
The first vulnerability, CVE-2021-42278, is a security bypass flaw where an attacker can spoof the computer account sAMAccountName to impersonate a domain controller. sAMAccountName is a logon name that is used to support clients and servers from previous Windows versions, including Windows 95, Windows 98, and LAN Manager.
sAMAccountName usually has a $ at the end, which is used to distinguish users and computer objects; however, the vulnerability allows a normal user to modify a machine account and its owner and allows them to edit its sAMAccountName attribute.
The second vulnerability, CVE-2021-42287, is a security bypass issue with the Kerberos Privilege Attribute Certificate (PAC) which can also be exploited to impersonate a domain controller. If exploited, it will result in the Key Distribution Center (KDC) creating service tickets with higher privilege levels than those of the domain account.
“For example, if there is a domain controller with a SAM account name of DC1$, an attacker may create a new machine account and rename its SAM account name to DC1, request a TGT, rename it again for a different name, and request a TGS ticket, presenting the TGT he has in hands,” explained Microsoft. “When processing the TGS request, the KDC will fail its lookup for the requestor machine DC1 the attacker had created. Therefore, the KDC will perform another lookup appending a trailing $. The lookup will succeed. As a result, the KDC will issue the ticket using the privileges of DC1$.”
The guide issued by Microsoft explains how to identify signs of exploitation and detect compromised servers with a Defender for Identity advanced hunting query which detects abnormal device name changes. The guidance can be found here.