Summary
Our security partners are investigating multiple proof-of-concept exploits for CVE-2021-42287, a privilege escalation vulnerability associated with Active Directory Domain Services (AD DS). This vulnerability combined with a Security Account Manager (SAM) spoofing security bypass vulnerability (CVE-2021-42278) are collectively referred to as noPac. NoPac can allow attackers to escalate to domain-level privileges from a standard user account.
Vulnerable versions :
- Impacts Windows Server Versions 2008, 2008 R2, 2012 2012R2, 2016 inc version 20H2+2004, 2019, 2022
Recommendation(s):
Microsoft released patches for both CVE-2021-42287 and CVE-2021-42278 on November 9, 2021. Customers should prioritise applying those patches to Windows domain controllers in their environments. Additionally, customers can restrict users’ ability to register systems in a domain by modifying the default Active Directory configuration (as described in the Microsoft article “Active Directory: How to Prevent Authenticated Users from Joining Workstations to a Domain” listed in the references section).
References:
- https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
- https://social.technet.microsoft.com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx
- https://github.com/cube0x0/noPac
- https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
- https://github.com/ricardojba/Invoke-noPac
- https://github.com/Ridter/noPac
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-apds/1d1f2b0c-8e8a-4d2a-8665-508d04976f84
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk