Critical vulnerability in Windows’ Kerberos protocol
A critical vulnerability in Microsoft Windows’ Kerberos protocols (CVE-2021-42282, CVE-2021-42278, CVE-2021-42291) could lead to full domain compromise from an authenticated unprivileged account.
CERT NZ has been made aware of a working proof of concept for this vulnerability, and we would like to acknowledge the work of Andrew Bartlett from the Catalyst IT team in Wellington.
Microsoft has released patches for this vulnerability in the November 2021 Patch Tuesday.
All Active Directory (AD) domains that have Kerberos authentication protocol enabled.
What this means
Exploitation of this vulnerability could lead to an unprivileged account gaining full AD domain controller rights, and potentially full compromise of the AD database.
What to look for
How to tell if you're at risk
If you have not applied the patches from Microsoft November 2021 Patch Tuesday.
What to do
CERT NZ recommends to patch all AD servers immediately.
Change the default attribute ms-DS-MachineAccountQuota from 10 to 0.
This attribute change will mitigate an unprivileged user account’s ability to exploit this vulnerability.
November 2021 Patch Tuesday fixes 55 security flaws including :
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.