It’s been a busy week in cybersecurity. Beyond the far-reaching Apache server log4J vulnerability and subsequent log4shell exploits, there is another very serious series of two vulnerabilities that must be discussed and addressed immediately.
At Cymulate, we’ve been steadfastly tracking two Microsoft vulnerabilities, CVE-2021-42287 & CVE-2021-42278, since they were announced a month ago. They’re found in every Windows Server release, and when exploited together in a SAMAccountName spoofing and escalation attack, allow un-elevated users within a domain to spoof and get Active Directory domain administration rights.
Watch for The Exploits!
What makes this especially scary is that we are tracking multiple proof of concept exploits on this across GitHub and various hacking blog sites. We’ve even seen a YouTube video demonstrating a successful proof of concept exploit.
How it’s Accomplished
How does it work? Frightfully, it appears too easy.
- Regular, unelevated user on a domain simply makes a Kerberos service ticket request to a vulnerable Active Directory server. The vulnerable Active Directory server replies with a standard Kerberos service ticket for the user.
- Then, the user faking a domain admin requests a second Kerberos service ticket as that admin. The two vulnerabilities together are the key – the first does not verify the account name and the second allows the escalation of privileges. The vulnerable Active Directory server then simply grants this second Kerberos service ticket with admin rights.
- Now, that user has full control of the Active Directory domain and can do any number of things.
Some have called the PoC exploits “Weaponization of CVE-2021-42287 & CVE-2021-42278” and others have given it the name “Invoke-nopac Active Directory Attack” after the way the user requests the Kerberos service tickets.
Critical Patching Information
The two vulnerabilities CVE-2021-42287 & CVE-2021-42278 have been announced, and patches were released. It is imperative to implement these as quickly as possible.
- KB5008380—Authentication updates (CVE-2021-42287):
How Can Cymulate Help?
For customers and prospects interested in finding out if their Active Directory servers are vulnerable, Cymulate has added to its Extended Security Management Platform a purple team scenario to test your Active Directory controllers to see if they are susceptible.
You can find them under the Purple Team Scenario resources as CVE-2021-42287/CVE-2021-42278 Exploiter in the Cymulate interface.