CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability.

CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability.

A remote code execution vulnerability exists in the way that AD DS authenticates user identity. A remote attacker can exploit this vulnerability to take control of an affected system.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by improving the way that AD DS authenticates user identity.

A remote code execution vulnerability exists in Active Directory Domain Services that can result in Domain-level privilege escalation. Successfully exploiting this vulnerability results in the attacker gaining the same level of privilege as the logged-on user.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by adding a prompt for password change before a Domain-level administrator can be logged into the system.

All users are advised to apply this update as soon as possible.

Exploiting of this vulnerability requires that user credentials be available to the attacker.

WORKarounds

Usage of the AD FS REST API to manage a domain and forest

This update addresses the vulnerability by improving the way that AD FS manages Active Directory Domain Services.

To exploit this vulnerability, an attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

Exploiting of this vulnerability requires that user credentials be available to the attacker.

All users are advised to apply this update as soon as possible.

CVE-2019-11812

A remote code execution vulnerability exists in the way that Exchange Server parses specially crafted messages. Successfully exploiting this vulnerability can result in an attacker executing a script in the context of the logged-on user.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by improving the way that Exchange Server parses specially crafted messages to prevent an attacker from abusing it.

All users are advised to apply this update as soon as possible.

CVE-2023-21858

A remote code execution vulnerability exists in the way that AD DS authenticates user identity. A remote attacker can exploit this vulnerability to take control of an affected system.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by improving the way that AD DS authenticates user identity.

A remote code execution vulnerability exists in Active Directory Domain Services that can result in Domain-level privilege escalation. Successfully exploiting this vulnerability results in the attacker gaining the same level of privilege as the logged-on user.
In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.
The update addresses the vulnerability by adding a prompt for password change before a Domain-level administrator can be logged into the system.
All users are advised to apply this update as soon as possible.
Exploiting of this vulnerability requires that user credentials be available to the attacker.

Disable NTLMv2

The vulnerability is not mitigated by disabling NTLMv2.

AD DC FS bypass with netdom-dnsapi.exe Workaround:

1. Restart the server in Directory Services Restore Mode (DSRM) with the following command: "net start dsrm"
2. Change the computer account password on the local server with this command: "Netdom trust "CN=Domain Controller,CN=Users,DC=example,DC=com" /password:"

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe