3 Steps to Mitigating Two Recent Active Directory Domain Service Privilege Escalation Security Flaws

By Elad Shamir December 23, 2021 | Active Directory

After releasing security patches for two Active Directory vulnerabilities during the November 2021 Patch Tuesday, Microsoft urged customers on December 20 to apply the patches immediately to prevent attackers from taking over Windows domains. In addition to patching, organizations can increase their defenses against attacks by executing a couple of actions that will help prevent unauthorized creation of accounts that could lead to escalation of privileges and an attack.

Looking behind the scenes of CVE-2021-42278 and CVE-2021-42287

On November 9th, 2021, Microsoft released four CVEs related to security issues in Active Directory and attributed them to Andrew Bartlett. The common theme for three of these security updates seems to involve validating the uniqueness of certain attributes of AD objects and verifying that no wires cross when issuing Kerberos tickets, leading to the issuance of tickets for the wrong principal or to the wrong service.

While many in the infosec community speculated that exploitation of these issues would involve unreliable race conditions or other edge cases, security researchers Charlie Clark and Ceri Coburn published an article demonstrating how CVE-2021-42278 can be abused to escalate privileges by default reliably in any domain/forest, and even in cross-forest trusts in specific configurations.

Prior to this security update, there was no enforcement requiring the sAMAccountName attribute of computer/service accounts to end with a dollar sign ($), allowing for the existence of accounts with a name identical to that of privileged accounts, such as domain controller, except for the trailing dollar sign.

Charlie and Ceri found that an attacker could request a Kerberos Ticket Granting Ticket (TGT) for an account with a sAMAcountName identical to that of a domain controller (excluding the trailing dollar sign) and then change the sAMAccountName attribute of that account. The attacker’s TGT would still be valid, despite changing the sAMAccountName attribute of the account.

Now the attacker could call the S4U2Self Kerberos extension to obtain a Kerberos Service Ticket for any arbitrary user, including privileged users—such as members of the Domain Admins group—to the service associated with the attacker’s TGT. The domain controller would attempt to issue the ticket to a service associated with the account name on the TGT without the dollar sign. When the domain controller fails to find that account because its sAMAccountName attribute has changed, it would search for a service associated with the name on the TGT with a trailing dollar sign and find the domain controller’s account. As a result, the domain controller would reliably issue a ticket for the privileged user to the domain controller and send it to the attacker.

Even though a feature of the Kerberos constrained delegation extension is abused in this attack (S4U2Self), adding all privileged accounts to the Protected Users group or setting them as sensitive for delegation would not mitigate the risk because these security controls only affect S4U2Proxy.

While this attack requires write privileges to the sAMAccountName attribute of an account that has at least one Service Principal Name (SPN), by default, all Authenticated Users can create up to ten new computer accounts in the domain, allowing them to “bring their own computer account” and exploit this vulnerability.

Note that the Authenticated Users group includes foreign users from other forests with an appropriate trust relationship, which means that—under the default configuration—attackers can create a computer account in a trusting forest and execute the attack in that forest as well, breaking another security boundary.

How to mitigate CVE-2021-42278 and CVE-2021-42287

To prevent attacks that exploit CVE-2021-42278 and CVE-2021-42287, I highly recommend three action items:

  1. Immediately install the patches (CVE-42287 and CVE-422278)
  2. Change the value of the MSDS-MachineAccountQuota attribute to zero
  3. Apply the Principle of Least Privilege to the user rights assignment labeled “Add workstations to the domain” (SeMachineAccountPrivilege)

This action plan will help prevent unauthorized creation of computer accounts and raise the bar for executing this attack, as well as several other attacks that require a computer account or an account that has an SPN.

 

About the author
Elad Shamir
Elad Shamir Semperis Director of Breach Preparedness and Response
Elad Shamir, Semperis Director of Breach Preparedness and Response, is a seasoned information security professional with extensive experience in planning and executing red team operations and other offensive security services. He was previously a senior consultant with SpecterOps. Linkedin
Unlock cyber resilience. Get a demo