If you are as old as I am, you remember when you first had to deal with domains and Active Directory (AD). Even if you aren’t as old as I am, you still probably must deal with domains and Active Directory. If you are just starting out at a new firm, you probably know only Azure Active Directory as your building block. The reality for the rest of us is that we must patch and maintain AD.
Active Directory has been in the security news again for yet another vulnerability that may need more actions than merely patching to properly protect your network from future attacks. The May 10, 2022, security updates include several patches relating to certificates.
CVE-2022-26923 is particularly worrisome as it allows attackers to go from user to domain admin in mere minutes. To see the actual attack sequence in action, use this site to analyze the impact of the CVE-2022-26923 patch on your network.
Based on the severity of the misconfiguration, CVE-2022-26923 could allow any low-privileged user on the AD domain to escalate their privilege to that of an enterprise domain admin with just a few clicks. As Will Dorman of CERT noted, it works quite well on a default AD configuration by going from normal user to domain admin in a few steps. Oliver Lyak and Eran Nachshon provide more details in two separate blog posts. This patch does not block all potential methods of attack, only the attack sequence using ESC6.
Additional steps needed after the May cumulative update
Prior to updating with the May cumulative update, check that the AltSecurityIdenties value in the krbtgt account has nothing set in it. To view this, go into “Active Directory Users and Computers”, click on “View advanced features”, select “Users”, and find the disabled krbtgt account. It’s normal that the acocunt is disabled. Next select “Properties”, click on “Attribute editor”, and ensure that no value is set in the AltSecurityIdenties section. This is not something done normally but probably would have been set incorrectly. If there is a value there, your domain controller will reboot with a crash.
Next, change the value of the MSDS-MachineAccountQuota attribute to “0”. For many years in AD, Microsoft wanted to make it easy to add a computer to the domain and allowed mere users to do so. The ability to do this and trigger the requesting of certificates as a result is one of the methods that attackers use to abuse the certificate flaw. In “Active Directory Users and Computers”, open the properties of the domain and select the “Attribute editor”. Then double-click on ms-DS-MachineAccountQuota. Modify the value. The number represents the number of computers that you want users to be able to add to the domain. It’s now highly recommended to change this value to “0”.
If these recommendations vaguely sound familiar, it’s because they were also recommended back in November when we were patching another set of Active Directory flaws leveraging the same sort of vulnerabilities. It appears that Microsoft reintroduced the same sort of flaw that is being patched by CVE-2022-26925 that orginally patched in CVE-2021-42278 and CVE-2021-42287 in November.
Finally, review the recommendations in KB5005413, enable EPA, and disable HTTP on Active Directory Certificate Services (AD CS) servers for certificate authority web enrollment.
Beware of authentication issues after May updates
When you go to apply the May updates be aware that some firms’ configurations might see authentication issues after the update as CISA explained:
“After installing May 10, 2022, rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.”
The May cumulative updates also included two additional fixes for certificate-based authentication that require additional actions. As Microsoft notes: “CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the May 10, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update.”
The May update will introduce audit events that will help you identify which identity certificates will fail after May 9, 2023. Devices are in “compatability mode” at this time, but if the certificates are not strongly mapped by May of 2023, authentication will be denied.
Microsoft released an out of band update to fix the authentication issues introduced by the May releases.
Additional steps for November Active Directory patches
In November 2021 Microsoft issued a patch for a similar AD issue. Patches for CVE-2021-42278 and CVE-2021-42287 fixed issues for which “the common theme for these security updates seems to involve validating the uniqueness of certain attributes of AD objects and verifying that no wires cross when issuing Kerberos tickets, leading to the issuance of tickets for the wrong principal or to the wrong service.”
Microsoft recommends taking three actions to better protect yourself from such attacks that exploit CVE-2021-42278 and CVE-2021-42287 as well as the current CVE-2022-26925:
- Install the updates, specifically the patches from November – and when you can after testing – for the May vulnerabilities noted in CVE-42287, CVE-422278 (included in the November updates if you have not installed them already) and for CVE-2022-26925 (included in the May updates).
- Change the value of the MSDS-MachineAccountQuota attribute to “0”.
- Apply the principle of least privilege to the user rights assignment labeled “Add workstations to the domain” (SeMachineAccountPrivilege).
Detecting CVE-2022-26923 with Microsoft Defender for Identity
The May CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability can be detected if you have Microsoft Defender for Identity. Microsoft has added a setting to Microsoft Defender for Identity to send an alert when an attack is underway. The alert is titled “Suspicious modification of a DnsHostName attribute (CVE-2022-26923 exploitation).” If you don’t have Microsoft Defender for Identity licensing, Microsoft recommends you can better protect yourself from this sort of attack by following these steps:
- Apply the recent patches to all domain controller servers in your organization. You will need to test and review if you are impacted by the side effects.
- Set the ms-DS-MachineAccountQuota attribute to “0” if possible, making the attack more complex to exploit for an attacker.
- Adjust certificate template permissions and approval according to your organization’s needs.
Bottom line: Don’t just apply the patches and think you are done. Take additional actions on your network to better protect your network.
Copyright © 2022 IDG Communications, Inc.
