Critical vulnerability in Windows’ Kerberos protocol

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

1:15pm, 11 November 2021

TLP Rating: Clear

Critical vulnerability in Windows’ Kerberos protocol

A critical vulnerability in Microsoft Windows’ Kerberos protocols (CVE-2021-42282, CVE-2021-42278, CVE-2021-42291) could lead to full domain compromise from an authenticated unprivileged account.

CERT NZ has been made aware of a working proof of concept for this vulnerability, and we would like to acknowledge the work of Andrew Bartlett from the Catalyst IT team in Wellington.

Microsoft has released patches for this vulnerability in the November 2021 Patch Tuesday.

What's happening

Systems affected

All Active Directory (AD) domains that have Kerberos authentication protocol enabled.

What this means

Exploitation of this vulnerability could lead to an unprivileged account gaining full AD domain controller rights, and potentially full compromise of the AD database.

 

What to look for

How to tell if you're at risk

If you have not applied the patches from Microsoft November 2021 Patch Tuesday.

What to do

Prevention

CERT NZ recommends to patch all AD servers immediately.

Mitigation

Change the default attribute ms-DS-MachineAccountQuota from 10 to 0.

This attribute change will mitigate an unprivileged user account’s ability to exploit this vulnerability.

More information

Microsoft release notes 2021 Nov External Link

 

November 2021 Patch Tuesday fixes 55 security flaws including :

Microsoft Exchange Server Remote Code Execution Vulnerability External Link

Microsoft Excel Security Feature Bypass Vulnerability External Link

 

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384