Microsoft is urging customers to patch two security vulnerabilities in Active Directory domain controllers that it patched in November following the availability of a proof-of-concept (PoC) tool on December 12.
Both vulnerabilities – tracked as CVE-2021-42278 and CVE-2021-42287 – have a severity rating of 7.5 out of a maximum of 10 and relate to a privilege escalation flaw affecting the Active Directory Domain Services (AD DS). Andrew Bartlett of Catalyst IT is credited with discovering and reporting both bugs.
Active Directory is a directory service that runs on Microsoft Windows Server and is used for identity and access management. Although the tech giant called the shortcomings a “less likely exploitation” in its assessment, the public disclosure of the PoC has prompted renewed calls for the patches to be applied to mitigate any potential exploitation by threat actors.
While CVE-2021-42278 allows an attacker to tamper with the SAM-Account-Name attribute, which is used to log a user into systems in the Active Directory domain, CVE-2021-42287 allows impersonating controllers of domain. This effectively allows a bad actor with domain user credentials to gain access as a domain admin user.
“By combining these two vulnerabilities, an attacker can create a simple path to a domain administration user in an Active Directory environment that has not applied these new updates,” said Daniel Naim, senior product manager at Microsoft. “This escalation attack allows attackers to easily elevate their privilege to that of a domain administrator once they have compromised a regular domain user.”
The Redmond-based company also provided a step-by-step guide to help users determine if vulnerabilities may have been exploited in their environments. “As always, we strongly recommend that you deploy the latest patches to domain controllers as soon as possible,” Microsoft said.