Microsoft is urging Active Directory administrators to apply November patches for a pair of tricky domain service privilege escalation vulnerabilities after a proof-of-concept tool leveraging them was publicly disclosed.
According to the company, an attacker can combine the two bugs (CVE-2021-42287 and CVE-2021-42278) to “create a straightforward path to a Domain Admin user in an Active Directory (AD) environment” that has not yet applied the updates.
That escalation attack gives hackers the ability to elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain, the tech giant says.
CVE-2021-42278: SAM Name Impersonation
According to Microsoft, this bug allows attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
Internally, Active Directory uses several naming schemes for a given object, such as userPrincipalName (UPN), and sAMAccountName (SAM-Account).
To find this in Active Directory Users and Computers, click “view,” navigate to “advanced features” and open the properties of an object. Then, click the “Attribute Editor” tab and scroll down to sAMAccountName.
For computers, those name attributes usually end with “$” to help distinguish between user objects and computer objects. However, there are no restrictions or validations for changing that attribute to include or not include the “$”.
“With default settings, when the relevant patch is not applied, a normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName attribute,” Microsoft says.
CVE-2021-42287 – KDC bamboozling
This is a bug that allows a potential attacker to impersonate the domain controllers directory. When combined with the one discussed above, an attacker with domain credentials can leverage them for granting access as a domain admin user.
According to Microsoft, “When performing an authentication using Kerberos, Ticket-Granting-Ticket (TGT) and the following Ticket-Granting-Service (TGS) are being requested from the Key Distribution Center (KDC). In case a TGS was requested for an account that could not be found, the KDC will attempt to search it again with a trailing $.”
This allows an attacker can take a domain controller with a SAM account name of DC1$, create a new machine account and rename its SAM account name to DC1, request a TGT, give it a different name and request a TGS ticket while presenting the given TGT.
“When processing the TGS request, the KDC will fail its lookup for the requestor machine DC1 the attacker had created. Therefore, The KDC will perform another lookup appending a trailing $. The lookup will succeed. As a result, the KDC will issue the ticket using the privileges of DC1$.”
Microsoft also released a step-by-step guide to identify potential compromised computers via Microsoft 365 Defenders’ Advanced Hunting feature:
The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here.
IdentityDirectoryEvents
| where Timestamp > ago(1d)
| where ActionType == “SAM Account Name changed”
| extend FROMSAM = parse_json(AdditionalFields)[‘FROM SAM Account Name’]
| extend TOSAM = parse_json(AdditionalFields)[‘TO SAM Account Name’]
| where (FROMSAM has “$” and TOSAM !has “$”)
or TOSAM in (“DC1”, “DC2”, “DC3”, “DC4”) // DC Names in the org
| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
- Replace the marked area with the naming convention of your domain controllers
- Run the query and analyze the results which contains the affected devices. You can use Windows Event 4741to find the creator of these machines, if they were newly created
- We recommend investigating these compromised computersand determine that they haven’t been weaponized.
- Make sure to update the devices with the following KBs: KB5008102, KB5008380, KB5008602
