CVE-2021-42291 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-42291?

CVE-2021-42291 has a CVSS score of 7.5 (HIGH). This vulnerability allows authenticated attackers to elevate privileges in Active Directory Domain Services by exploiting improper access control. It affects Windows Server systems running Active Directory Domain Services, potentially enabling attackers to gain domain administrator privileges.

📋 TL;DR

This vulnerability allows authenticated attackers to elevate privileges in Active Directory Domain Services by exploiting improper access control. It affects Windows Server systems running Active Directory Domain Services, potentially enabling attackers to gain domain administrator privileges.

💻 Affected Systems

Products:

Windows Server

Versions: Windows Server 2019, Windows Server 2022, Windows Server 2016

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Active Directory Domain Services role installed and configured.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full domain administrator control, allowing them to create/delete accounts, modify security policies, access sensitive data, and persist across the entire domain.

🟠

Likely Case

Privileged escalation from standard domain user to domain administrator, enabling lateral movement and credential harvesting across the network.

🟢

If Mitigated

Limited impact with proper network segmentation, privileged access management, and monitoring in place, though domain compromise remains possible.

🌐 Internet-Facing: LOW - Requires authenticated access to domain controllers, which should not be internet-facing.

🏢 Internal Only: HIGH - Any authenticated domain user could potentially exploit this vulnerability from within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires domain user credentials and knowledge of specific Active Directory objects. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: November 2021 security updates (KB5007205 for Server 2019, KB5007206 for Server 2022, KB5007192 for Server 2016)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42291

Restart Required: Yes

Instructions:

1. Apply November 2021 security updates from Windows Update. 2. Restart affected domain controllers. 3. Verify patch installation via 'systeminfo' command.

🔧 Temporary Workarounds

Restrict Active Directory object permissions

windows

Apply strict access controls to prevent unauthorized modifications to Active Directory objects

Use Active Directory Administrative Center or PowerShell to review and restrict permissions on sensitive AD objects

🧯 If You Can't Patch

Implement network segmentation to isolate domain controllers from general user networks
Enable enhanced auditing and monitoring for Active Directory object modifications

🔍 How to Verify

Check if Vulnerable:

Check if November 2021 security updates are installed via 'systeminfo | findstr /B /C:"KB5007205" /C:"KB5007206" /C:"KB5007192"'

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify patch installation and check that 'systeminfo' shows the appropriate KB installed

📡 Detection & Monitoring

Log Indicators:

Event ID 4662 with object type 'DS-Replication-Get-Changes' or 'DS-Replication-Get-Changes-All'
Unusual modifications to Active Directory objects from non-privileged accounts

Network Indicators:

LDAP traffic patterns showing unusual replication requests
Authentication attempts followed by privilege escalation activities

SIEM Query:

source="windows" event_id=4662 (object_type="DS-Replication-Get-Changes" OR object_type="DS-Replication-Get-Changes-All") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2021-42291

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42291 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42291 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42291, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows Server by Microsoft

Windows Server by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Active Directory object permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities