Although Microsoft releases quality and security updates for its supported software on a regular basis, as a consumer, it's also important to apply them as soon as possible. Today, the company has issued an advisory about some vulnerabilities that it has already patched but are now being exploited on configurations that have not been updated yet.
Back in November, Microsoft tagged two vulnerabilities as CVE-2021-42287 and CVE-2021-42278 describing them as "Windows Active Directory domain service privilege escalation vulnerability". The issues in question allow a malicious actor to easily gain Domain Admin privileges in Active Directory after they compromise a regular user account. Microsoft released three patches for immediate deployment on domain controllers, described below:
- KB5008102—Active Directory Security Accounts Manager hardening changes (CVE-2021-42278)
- KB5008380—Authentication updates (CVE-2021-42287)
- KB5008602(OS Build 17763.2305) Out-of-band
Although the aforementioned patches have been available for weeks, the problem is that a proof-of-concept tool that exploits these vulnerabilities was publicly disclosed on December 12. Malicious actors can utilize it to perform privilege escalation attacks on Active Directory by targeting unpatched domain controllers.
As such, Microsoft has now issued an advisory, requesting customers to patch applicable systems as soon as possible. In its technical blog post, the company has also dived into the details about how to detect indicators of compromise and attached some Advanced Hunting queries as well. You can check out more details here.