Fixing the latest Active Directory vulnerabilities is not enough
If you’re as old as me, you remember the first time you dealt with domains and Active Directory (AD). Even if you’re not as old as me, you probably have to deal with domains and Active Directory. If you’re just starting out in a new business, you’re probably only familiar with Azure Active Directory as your basic building block. The reality for the rest of us is that we need to patch and maintain AD.
Active Directory has made security news again for another vulnerability that may require more action than simple fixes to properly protect your network from future attacks. The May 10, 2022 security updates include several fixes related to certificates.
CVE-2022-26923 is particularly disturbing because it allows attackers to go from a user to a domain administrator in minutes. To see the actual attack sequence in action, use This site to analyze the impact of the CVE-2022-26923 patch on your network.
Depending on the severity of the misconfiguration, CVE-2022-26923 could allow any low-privileged user on the AD domain to elevate their privilege to that of a corporate domain administrator with just a few clicks. Like Will Dorman from CERT noted, it works quite well on a default AD setup going from a normal user to a domain admin in a few steps. Olivier Lyak and Eran Nachshon provide more details in two separate blog posts. This fix does not block all potential attack methods, only the attack sequence using ESC6.
Additional Steps Needed After May Cumulative Update
Before updating with the May Cumulative Update, verify that the AltSecurityIdenties the value in the krbtgt account is undefined. To view it, go to “Active Directory Users and Computers”, click on “Show advanced features”, select “Users” and find the disabled krbtgt account. It is normal for the account to be disabled. Then select “Properties”, click on “Attribute Editor” and make sure that no value is set in the AltSecurityIdenties section. It’s not something that is normally done but would probably have been defined incorrectly. If there is a value, your domain controller will restart with a crash.
Next, change the value of the MSDS-MachineAccountQuota attribute to “0”. For many years in AD, Microsoft wanted to make it easier to add a computer to the domain and allowed simple users do this. The ability to do this and trigger the certificate request accordingly is one of the methods attackers use to abuse the certificate flaw. In “Active Directory Users and Computers”, open domain properties and select “Attribute editor”. Then double-click on ms-DS-MachineAccountQuota. Change the value. The number represents the number of computers you want users to be able to add to the domain. It is now strongly recommended to change this value to “0”.
If these recommendations sound vaguely familiar to you, that’s because they were also recommended back in November when we were patching another set of Active Directory flaws exploiting the same kind of vulnerabilities. It seems that Microsoft has reintroduced the same type of flaw which is fixed by CVE-2022-26925 which was originally fixed in CVE-2021-42278 and CVE-2021-42287 in November.
Finally, review the recommendations of KB5005413Enable EPA and disable HTTP on Active Directory Certificate Services (AD CS) servers for CA web enrollment.
Beware of Authentication Issues After May Updates
When you go to apply the May updates, be aware that some company setups may experience authentication issues after the update, because CISA Explain:
“After installing the May 10, 2022 Cumulative Update on domain controllers, organizations may experience server or client authentication failures for services, such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is handled by the domain controller.
The May Cumulative Updates also included two additional fixes for certificate-based authentication that require additional action. As Microsoft notes: “CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) processes a certificate-based authentication request. Prior to the May 10, 2022 security update, certificate-based authentication ignored the dollar sign ($) at the end of a machine name. This allowed associated certificates to be emulated (spoofed) in various ways. Additionally, User Principal Name (UPN) and sAMAccountName conflicts introduced other emulation (spoofing) vulnerabilities that we are also addressing with this security update.
The May Update will introduce audit events that will help identify identity certificates that fail after May 9, 2023. Devices are currently in “compatibility mode” but if certificates are not strongly mapped by May 2023, authentication will be denied.
Microsoft released a out of band update to resolve authentication issues introduced by the May releases.
Additional Steps for November Active Directory Patches
In November 2021, Microsoft released a fix for a similar AD issue. Fixes for CVE-2021-42278 and CVE-2021-42287 problems solved for which “the common theme of these security updates appears to involve validating the uniqueness of certain AD object attributes and verifying that no threads cross when issuing Kerberos tickets, leading to the ‘ticket issue for wrong principal or wrong department’.
Microsoft recommends taking three steps to better protect against such attacks that exploit CVE-2021-42278 and CVE-2021-42287 as well as the current CVE-2022-26925:
- Install updates, especially November patches – and when you can after testing – for May vulnerabilities noted in CVE-42287, CVE-422278 (included in November updates if you don’t have them not already installed) and for CVE-2022-26925 (included in May updates).
- Modify the value of the MSDS-MachineAccountQuota attribute to “0”.
- Apply the principle of least privilege to the user rights assignment titled “Add workstations to domain” (SeMachineAccountPrivilege).
Detection of CVE-2022-26923 with Microsoft Defender for Identity
The May CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability can be detected if you have Microsoft Defender for Identity. Microsoft added a setting to Microsoft Defender for Identity to send an alert when an attack is in progress. The alert is titled “Suspicious modification of a DnsHostName attribute (CVE-2022-26923 exploit)”. If you do not have a Microsoft Defender for Identity license, Microsoft recommends that you better protect yourself against this type of attack by following these steps:
- Apply recent patches to all domain controller servers in your organization. You will need to test and review if you are impacted by the Side effects.
- Set the ms-DS-MachineAccountQuota attribute to “0” if possible, which makes the attack more complex for an attacker to exploit.
- Adjust certificate template permissions and trust to suit your organization’s needs.
Bottom line: Don’t just apply the patches and think you’re done. Take additional actions on your network to better protect your network.
Copyright © 2022 IDG Communications, Inc.