1:15pm, 11 November 2021
TLP Rating:
Critical vulnerability in Windows’ Kerberos protocol
A critical vulnerability in Microsoft Windows’ Kerberos protocols (CVE-2021-42282, CVE-2021-42278, CVE-2021-42291) could lead to full domain compromise from an authenticated unprivileged account.
CERT NZ has been made aware of a working proof of concept for this vulnerability, and we would like to acknowledge the work of Andrew Bartlett from the Catalyst IT team in Wellington.
Microsoft has released patches for this vulnerability in the November 2021 Patch Tuesday.
What's happening
Systems affected
All Active Directory (AD) domains that have Kerberos authentication protocol enabled.
What this means
Exploitation of this vulnerability could lead to an unprivileged account gaining full AD domain controller rights, and potentially full compromise of the AD database.
What to look for
How to tell if you're at risk
If you have not applied the patches from Microsoft November 2021 Patch Tuesday.
What to do
Prevention
CERT NZ recommends to patch all AD servers immediately.
Mitigation
Change the default attribute ms-DS-MachineAccountQuota from 10 to 0.
This attribute change will mitigate an unprivileged user account’s ability to exploit this vulnerability.
More information
Microsoft release notes 2021 Nov External Link
November 2021 Patch Tuesday fixes 55 security flaws including :
Microsoft Exchange Server Remote Code Execution Vulnerability External Link
Microsoft Excel Security Feature Bypass Vulnerability External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.