CVE-2021-42282
📋 TL;DR
CVE-2021-42282 is an Active Directory Domain Services privilege escalation vulnerability that allows authenticated attackers to gain domain administrator privileges. It affects Windows Server systems running Active Directory Domain Services. Attackers need valid domain credentials to exploit this vulnerability.
💻 Affected Systems
- Windows Server
📦 What is this software?
Windows Server by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise where attackers gain domain administrator privileges, allowing them to create new accounts, modify existing accounts, install backdoors, and access all domain resources.
Likely Case
Privilege escalation from standard domain user to domain administrator, enabling lateral movement and persistence within the network.
If Mitigated
Limited impact with proper network segmentation, privileged access management, and monitoring in place, though domain compromise remains possible.
🎯 Exploit Status
Exploitation requires valid domain credentials. Public exploit code is available and has been used in real attacks. The attack chain is well-documented and relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: November 2021 security updates (KB5007205 for Windows Server 2019, KB5007206 for Windows Server 2022, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42282
Restart Required: Yes
Instructions:
1. Apply the November 2021 security updates from Microsoft. 2. Restart affected domain controllers. 3. Verify all domain controllers are patched. 4. Consider applying the patch during maintenance windows as restarts are required.
🔧 Temporary Workarounds
Restrict SAMR protocol access
windowsLimit access to SAMR protocol to reduce attack surface
Configure Windows Firewall to block SAMR protocol (TCP 445) from non-essential systems
Use Group Policy to restrict SAMR access
🧯 If You Can't Patch
- Implement strict privileged access management and monitor for unusual account activity
- Segment domain controllers from regular user networks and implement network access controls
🔍 How to Verify
Check if Vulnerable:
Check if November 2021 security updates are installed on domain controllers. Unpatched systems are vulnerable.Check Version:
wmic qfe list | findstr KB5007205 (adjust KB number for your OS version)Verify Fix Applied:
Verify KB5007205 (Server 2019), KB5007206 (Server 2022), or equivalent November 2021 patches are installed and domain controllers have been restarted.📡 Detection & Monitoring
Log Indicators:
- Unusual SAMR protocol activity
- Account creation/modification by non-administrative users
- Privilege escalation attempts in security logs
Network Indicators:
- Unusual SAMR traffic patterns to domain controllers
- Multiple authentication attempts followed by privilege escalation
SIEM Query:
EventID=4720 OR EventID=4722 OR EventID=4724 from non-privileged accounts OR SAMR protocol anomalies