UNEXPECTED SECURITY FLAW FOUND IN ACTIVE DIRECTORY
written byShashidhar CN
Follow these steps after running the November and May Microsoft updates to fully address Active Directory vulnerabilities.
If you are as old as I am, you remember when you first had to deal with domains and Active Directory (AD). Even if you aren’t as old as I am, you still probably must deal with domains and Active Directory. If you are just starting out at a new firm, you probably know only Azure Active Directory as your building block. The reality for the rest of us is that we must patch and maintain AD.
Active Directory has been in the security news again for yet another vulnerability that may need more actions than merely patching to properly protect your network from future attacks. The May 10, 2022, security updates include several patches relating to certificates.
CVE-2022-26925 Windows LSA Spoofing vulnerability
CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2022-26923 is particularly worrisome as it allows attackers to go from user to domain admin in mere minutes. To see the actual attack sequence in action, use this site to analyze the impact of the CVE-2022-26923 patch on your network.
Based on the severity of the misconfiguration, CVE-2022-26923 could allow any low-privileged user on the AD domain to escalate their privilege to that of an enterprise domain admin with just a few clicks. As Will Dormanof CERT noted, it works quite well on a default AD configuration by going from normal user to domain admin in a few steps. Oliver Lyak and Eran Nachshon provide more details in two separate blog posts. This patch does not block all potential methods of attack, only the attack sequence using ESC6.
Additional steps needed after the May cumulative update
Prior to updating with the May cumulative update, check that the AltSecurityIdenties value in the krbtgt account has nothing set in it. To view this, go into “Active Directory Users and Computers”, click on “View advanced features”, select “Users”, and find the disabled krbtgt account. It’s normal that the acocunt is disabled. Next select “Properties”, click on “Attribute editor”, and ensure that no value is set in the AltSecurityIdenties section. This is not something done normally but probably would have been set incorrectly. If there is a value there, your domain controller will reboot with a crash.
Next, change the value of the MSDS-MachineAccountQuota attribute to “0”. For many years in AD, Microsoft wanted to make it easy to add a computer to the domain and allowed mere users to do so. The ability to do this and trigger the requesting of certificates as a result is one of the methods that attackers use to abuse the certificate flaw. In “Active Directory Users and Computers”, open the properties of the domain and select the “Attribute editor”. Then double-click on ms-DS-MachineAccountQuota. Modify the value. The number represents the number of computers that you want users to be able to add to the domain. It’s now highly recommended to change this value to “0”.
If these recommendations vaguely sound familiar, it’s because they were also recommended back in November when we were patching another set of Active Directory flaws leveraging the same sort of vulnerabilities. It appears that Microsoft reintroduced the same sort of flaw that is being patched by CVE-2022-26925 that orginally patched in CVE-2021-42278and CVE-2021-42287 in November.
Finally, review the recommendations in KB5005413, enable EPA, and disable HTTP on Active Directory Certificate Services (AD CS) servers for certificate authority web enrollment.
Beware of authentication issues after May updates
When you go to apply the May updates be aware that some firms’ configurations might see authentication issues after the update as CISA explained:
“After installing May 10, 2022, rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.”
The May cumulative updates also included two additional fixes for certificate-based authentication that require additional actions. As Microsoft notes: “CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the May 10, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update.”
The May update will introduce audit events that will help you identify which identity certificates will fail after May 9, 2023. Devices are in “compatability mode” at this time, but if the certificates are not strongly mapped by May of 2023, authentication will be denied.
Microsoft released an out of band update to fix the authentication issues introduced by the May releases.
Additional steps for November Active Directory patches
n November 2021 Microsoft issued a patch for a similar AD issue. Patches for CVE-2021-42278 and CVE-2021-42287 fixed issues for which “the common theme for these security updates seems to involve validating the uniqueness of certain attributes of AD objects and verifying that no wires cross when issuing Kerberos tickets, leading to the issuance of tickets for the wrong principal or to the wrong service.”
Microsoft recommends taking three actions to better protect yourself from such attacks that exploit CVE-2021-42278 and CVE-2021-42287 as well as the current CVE-2022-26925:
Install the updates, specifically the patches from November – and when you can after testing – for the May vulnerabilities noted in CVE-42287, CVE-422278 (included in the November updates if you have not installed them already) and for CVE-2022-26925 (included in the May updates).