A remote code execution vulnerability exists in the way that AD DS authenticates user identity. A remote attacker can exploit this vulnerability to take control of an affected system.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by improving the way that AD DS authenticates user identity.

A remote code execution vulnerability exists in Active Directory Domain Services that can result in Domain-level privilege escalation. Successfully exploiting this vulnerability results in the attacker gaining the same level of privilege as the logged-on user.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by adding a prompt for password change before a Domain-level administrator can be logged into the system.

All users are advised to apply this update as soon as possible.

Exploiting of this vulnerability requires that user credentials be available to the attacker.

WORKarounds

Impact of workaround

This update prevents users from being able to log into a Domain-level administrator account without first changing their password. When this update is applied, it will prevent the attacker from logging into a domain-level administrator account without first changing their password.

Mitigation Strategies:

- Ensure that the management operating system is running on a hardened system.
- Apply this update soon after release and before attackers have time to exploit vulnerable systems.
Users are advised to update their systems with the latest security patches as soon as possible, before attackers have time to exploit any exploited vulnerabilities.

Deployment Recommendations

Patch your systems as soon as possible.

Make sure that the Domain Controllers are running the latest version of Windows Server 2008 x64 and Windows Server 2008 x86.

Disable the Kerberos pre-authentication in Windows Server 2008 or Windows Server 2003.

CVE-2023-38044

A remote code execution vulnerability exists in the way that AD DS authenticates user identity. A remote attacker can exploit this vulnerability to take control of an affected system.

In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.

The update addresses the vulnerability by improving the way that AD DS authenticates user identity.

A remote code execution vulnerability exists in Active Directory Domain Services that can result in Domain-level privilege escalation. Successfully exploiting this vulnerability results in the attacker gaining the same level of privilege as the logged-on user.
In order to exploit this vulnerability, the attacker must be able to log into the system and run a script in a privileged context. The attacker must also know the password of an affected user.
The update addresses the vulnerability by adding a prompt for password change before a Domain-level administrator can be logged into the system.
All users are advised to apply this update as soon as possible.
Exploiting of this vulnerability requires that user credentials be available to the attacker.

Run-As Authentication bypass

Systems that are configured to run as a standard user will not be vulnerable to this vulnerability if the following conditions are met:
The domain functional level is at least Windows 7, and the system is not running Windows 2008 R2.
Systems that require the use of run-as authentication can apply one of the following workarounds:
Run-As Group Policy The Group Policy infrastructure in Active Directory supports run-as groups and users. These settings allow administrators to restrict logon attempts by adding run-as users and groups.
Create a Run-As account A group account with a high password complexity setting can be used to provide access while maintaining security. This workaround must be applied in conjunction with other techniques such as strong passwords and two-factor authentication.
Add the user's credentials to an LDAP server This workaround allows for random access to credential information for every user in Active Directory without needing an actual password when using run-as authentication. It does not protect against malicious scripts or password brute force attacks, but it does ensure that users cannot automatically resume their own logged on sessions after another administrator has completed their administrative tasks.

Timeline

Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/12/2022 20:08:00 UTC

References