The two vulnerabilities – tracked as CVE-2021-42278 and CVE-2021-42287 – have a severity rating of 7.5 out of a maximum of 10 and are related to the privileged reporting vulnerability affecting to the Active Directory Domain Services (AD DS) component. The person credited with discovering and reporting both bugs is Andrew Bartlett of Catalyst IT.
Active Directory is a directory service that runs on Microsoft Windows Server and is used for identity and access management. Although the tech giant marked the shortcomings as “less exploitable” in its assessment, the publicity of the PoC prompted renewed calls for the adoption of fixes to reduce mitigating any potential exploits by threat actors.
Although CVE-2021-42278 allows an attacker to spoof the SAM-Account-Name attribute, which is used to log users into systems in an Active Directory domain, CVE-2021-42287 can spoof the controller. domain controller. This effectively grants a bad actor with domain user credentials to gain access as the domain admin user.
“Combining these two vulnerabilities, an attacker could simply create a path to a Domain Administrator user in an Active Directory environment that has not yet applied these new updates,” said Microsoft Senior Product Manager Daniel Naim said. “This attack escalation allows attackers to easily elevate their privileges to Domain Administrator privileges after they compromise a regular user in the domain.”
The Redmond-based company also provided tutorial step-by-step to help users determine with certainty whether security vulnerabilities could have been exploited in their environment. “As always, we strongly recommend that you deploy the latest patches on your domain controllers as soon as possible,” Microsoft said.