Summary

Our security partners are investigating multiple proof-of-concept exploits for CVE-2021-42287, a privilege escalation vulnerability associated with Active Directory Domain Services (AD DS). This vulnerability combined with a Security Account Manager (SAM) spoofing security bypass vulnerability (CVE-2021-42278) are collectively referred to as noPac. NoPac can allow attackers to escalate to domain-level privileges from a standard user account.

Vulnerable versions :

• Impacts Windows Server Versions 2008, 2008 R2, 2012 2012R2, 2016 inc version 20H2+2004, 2019, 2022

Recommendation(s):  

Microsoft released patches for both CVE-2021-42287 and CVE-2021-42278 on November 9, 2021. Customers should prioritise applying those patches to Windows domain controllers in their environments. Additionally, customers can restrict users’ ability to register systems in a domain by modifying the default Active Directory configuration (as described in the Microsoft article “Active Directory: How to Prevent Authenticated Users from Joining Workstations to a Domain” listed in the references section).

References:

• https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
• https://social.technet.microsoft.com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx
• https://github.com/cube0x0/noPac
• https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
• https://github.com/ricardojba/Invoke-noPac
• https://github.com/Ridter/noPac
• https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-apds/1d1f2b0c-8e8a-4d2a-8665-508d04976f84

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk