Microsoft is urging customers to patch two security vulnerabilities in Active Directory domain controllers that it addressed in November following the availability of a proof-of-concept (PoC) tool on December 12.
The two vulnerabilities — tracked as CVE-2021-42278 and CVE-2021-42287 — have a severity rating of 7.5 out of a maximum of 10 and concern a privilege escalation flaw affecting the Active Directory Domain Services (AD DS) component. Credited with discovering and reporting both the bugs is Andrew Bartlett of Catalyst IT.
Active Directory is a directory service that runs on Microsoft Windows Server and is used for identity and access management. Although the tech giant marked the shortcomings as “exploitation Less Likely” in its assessment, the public disclosure of the PoC has prompted renewed calls for applying the fixes to mitigate any potential exploitation by threat actors.
While CVE-2021-42278 enables an attacker to tamper with the SAM-Account-Name attribute — which is used to log a user into systems in the Active Directory domain, CVE-2021-42287 makes it possible to impersonate the domain controllers. This effectively grants a bad actor with domain user credentials to gain access as a domain admin user.
“When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates,” Microsoft’s senior product manager Daniel Naim said. “This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”
The Redmond-based company has also provided a step-by-step guide to help users ascertain if the vulnerabilities might have been exploited in their environments. “As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible,” Microsoft said.