Updated 03/20/2024 – Added LDS references
Summary
CVE-2021-42291 addresses a security bypass vulnerability that allows certain users to set arbitrary values on security-sensitive attributes of specific objects stored in Active Directory (AD) or Lightweight Directory Service (LDS). To exploit this vulnerability, a user must have sufficient privileges to create a computer derived object, such as a user granted CreateChild permissions for computer objects. That user could create a computer account using a Lightweight Directory Access Protocol (LDAP) Add call that allows overly permissive access to the securityDescriptor attribute. Additionally, creators and owners can modify security-sensitive attributes after creating an account. This can be leveraged to perform an elevation of privilege in certain scenarios.
Note LDS will log events 3050, 3053, 3051 and 3054 about the status of implicit access to objects, just like AD does.
Mitigations in CVE-2021-42291 consist of:
-
Additional authorization verification when users without domain or LDS administrator rights attempt an LDAP Add operation for a computer-derived object. This includes an Audit-By-Default mode that audits when such attempts occur without interfering with the request and an Enforcement mode that blocks such attempts.
-
Temporary removal of the Implicit Owner privileges when users without domain administrator rights attempt an LDAP Modify operation on the securityDescriptor attribute. A verification occurs to confirm if the user would be allowed to write the security descriptor without Implicit Owner privileges. This also includes an Audit-By-Default mode that audits when such attempts occur without interfering with the request and an Enforcement mode that blocks such attempts.
Take Action
To protect your environment and avoid outages, please complete the following steps:
-
Update all devices that host the Active Directory domain controller or LDS Server role by installing the latest Windows updates. DCs that have the November 9, 2021 or later updates will have the changes in Audit mode by default.
-
Monitor the Directory Service or LDS event log for 3044-3056 events on domain controllers and LDS servers that have the November 9, 2021 or later Windows updates. Logged events indicate that a user might have excessive privileges to create computer accounts with arbitrary security-sensitive attributes. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. (An example of these events can be found in the Newly Added Events section.)
-
If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub.
Timing of Windows updates
These Windows updates will be released in two phases:
-
Initial deployment – Introduction of the update, including Audit-By-Default, Enforcement or Disable modes configurable using the dSHeuristics attribute.
-
Final deployment – Enforcement-By-Default.
November 9, 2021: Initial deployment phase
The initial deployment phase starts with the Windows update released on November 9, 2021. This release adds the auditing of permissions set by users without domain administrator rights during the creation or modification of a computer or computer-derived objects. It also adds an Enforcement and a Disable mode. You can set the mode globally for each Active Directory forest using the dSHeuristics attribute.
(Updated 12/15/2023) Final deployment phase
The final deployment phase can begin once you have completed the steps listed in the Take Action section. To move to Enforcement Mode, follow the instructions in the Deployment Guidance section to set the 28th and 29th bits on the dSHeuristics attribute. Then monitor for events 3044-3046. They report when Enforcement Mode has blocked an LDAP Add or Modify operation that might have previously been allowed in Audit mode.
Deployment guidance
Setting Configuration Information
After installing CVE-2021-42291, characters 28 and 29 of the dSHeuristics attribute control the behavior of the update. The dSHeuristics attribute exists within each Active Directory forest and contains settings for the entire forest. The dSHeuristics attribute is an attribute of the "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>" (AD ) or "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<configuration set>" (LDS) object. See 6.1.1.2.4.1.2 dSHeuristics and DS-Heuristics attribute for more information.
Character 28 – Additional AuthZ verifications for LDAP Add operations
0: Audit-by-Default mode is enabled. An event is logged when users without domain administrator rights set the securityDescriptor or other attributes to values that might grant excessive permissions, potentially allowing future exploitation, on new computer-derived AD objects.
1: Enforcement mode is enabled. This prevents users without domain administrator rights from setting the securityDescriptor or other attributes to values that might grant excessive permissions on computer-derived AD objects. An event is also logged when this occurs.
2: Disables the updated auditing and does not enforce the added security. Not recommended.
Example: If you had no other dSHeuristics settings enabled in your forest and you want to switch to Enforcement mode for Additional AuthZ verification, the dSHeuristics attribute should be set to:
“0000000001000000000200000001”
The characters that are set in this case are:
10th char : Must be set to 1 if the dSHeuristics attribute is at least 10 characters
20th char: Must be set to 2 if the dSHeuristics attribute is at least 20 characters
28th char: Must be set to 1 to enable Enforcement mode for Additional AuthZ verification
Character 29 – Temporary removal of Implicit Owner for LDAP Modify operations
0: Audit-by-Default mode is enabled. An event is logged when users without domain administrator rights set the securityDescriptor to values that might grant excessive permissions, potentially allowing future exploitation, on existing computer-derived AD objects.
1: Enforcement mode is enabled. This prevents users without domain administrator rights from setting the securityDescriptor to values that might grant excessive permissions on existing computer-derived AD objects. An event is also logged when this occurs.
2:Disables the updated auditing and does not enforce the added security. Not recommended.
Example: If you only had the Additional AuthZ verifications dsHeuristics flag set in your forest and you want to switch to Enforcement mode for temporary Implicit Ownership removal, the dSHeuristics attribute should be set to:
“00000000010000000002000000011”
The characters that are set in this case are:
10th char: Must be set to 1 if the dSHeuristics attribute is at least 10 characters
20th char: Must be set to 2 if the dSHeuristics attribute is at least 20 characters
28th char: Must be set to 1 to enable Enforcement mode for Additional AuthZ verification
29th char: Must be set to 1 to enable Enforcement mode for temporary Implicit Ownership removal
Newly added events
The November 9, 2021 Windows update will also add new event logs.
Mode Change Events – Additional AuthZ verification for LDAP Add operations
Events that occur when bit 28 of the dSHeuristics attribute is changed, which changes the mode of the Additional AuthZ verifications for the LDAP Add operations portion of the update.
|
Event Log |
Directory Services |
|
Event Type |
Informational |
|
Event ID |
3050 |
|
Event Text |
The directory has been configured to enforce per-attribute authorization during LDAP add operations. This is the most secure setting, and no further action is required. |
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3051 |
|
Event Text |
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below. |
|
Event Log |
Directory Services |
|
Event Type |
Error |
|
Event ID |
3052 |
|
Event Text |
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. No events will be logged, and no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below. |
Mode Change Events – temporary removal of Implicit Owner rights
Events that occur when bit 29 of the dSHeuristics attribute is changed, which changes the mode of the temporary removal of Implicit Owner rights portion of the update.
|
Event Log |
Directory Services |
|
Event Type |
Informational |
|
Event ID |
3053 |
|
Event Text |
The directory has been configured to block implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. This is the most secure setting, and no further action is required. |
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3054 |
|
Event Text |
The directory has been configured to allow implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. Warning events will be logged, but no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. |
|
Event Log |
Directory Services |
|
Event Type |
Error |
|
Event ID |
3055 |
|
Event Text |
The directory has been configured to allow implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. No events will be logged, and no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. |
Audit mode events
Events that occur in Audit mode to log potential security concerns with an LDAP Add or Modify operation.
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3047 |
|
Event Text |
The directory service detected an LDAP add request for the following object that normally would have been blocked for the following security reasons. The client did not have permission to write one or more attributes included in the add request, based on the default merged security descriptor. The request was allowed to proceed because the directory is currently configured to be in audit-only mode for this security check. Object DN: <created object’s DN> Object class: <created object’s objectClass> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> Security desc: <the SD that was attempted> |
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3048 |
|
Event Text |
The directory service detected an LDAP add request for the following object that normally would have been blocked for the following security reasons. The client included an nTSecurityDescriptor attribute in the add request but did not have explicit permission to write one or more parts of the new security descriptor, based on the default merged security descriptor. The request was allowed to proceed because the directory is currently configured to be in audit-only mode for this security check. Object DN: <created object’s DN> Object class: <created object’s objectClass> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> |
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3049 |
|
Event Text |
The directory service detected an LDAP modify request for the following object that normally would have been blocked for the following security reasons. The client included an nTSecurityDescriptor attribute in the add request but did not have explicit permission to write one or more parts of the new security descriptor, based on the default merged security descriptor. The request was allowed to proceed because the directory is currently configured to be in audit-only mode for this security check. Object DN: <created object’s DN> Object class: <created object’s objectClass> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> |
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3056 |
|
Event Text |
The directory service processed a query for the sdRightsEffective attribute on the object specified below. The returned access mask included WRITE_DAC, but only because the directory has been configured to allow implicit owner privileges which is not a secure setting. Object DN: <created object’s DN> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> |
Enforcement Mode - LDAP Add failures
Events that occur when an LDAP Add operation is denied.
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3044 |
|
Event Text |
The directory service denied an LDAP add request for the following object. The request was denied because the client did not have permission to write one or more attributes included in the add request, based on the default merged security descriptor. Object DN: <created object’s DN> Object class: <created object’s objectClass> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> Security desc: <the SD that was attempted> |
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3045 |
|
Event Text |
The directory service denied an LDAP add request for the following object. The request was denied because the client included an nTSecurityDescriptor attribute in the add request but did not have explicit permission to write one or more parts of the new security descriptor, based on the default merged security descriptor. Object DN: <created object’s DN> Object class: <created object’s objectClass> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> |
Enforcement Mode - LDAP Modify failures
Events that occur when an LDAP Modify operation is denied.
|
Event Log |
Directory Services |
|
Event Type |
Warning |
|
Event ID |
3046 |
|
Event Text |
The directory service denied an LDAP modify request for the following object. The request was denied because the client included an nTSecurityDescriptor attribute in the modify request but did not have explicit permission to write one or more parts of the new security descriptor, based on the object's existing security descriptor. Object DN: <created object’s DN> Object class: <created object’s objectClass> User: <user who attempted the LDAP add> Client IP Address: <the IP of the requestor> |
Frequently asked questions
Q1 What happens if I have a mixture of Active Directory domain controllers that are updated and not updated?
A1 The DCs that are not updated will not log events related to this vulnerability.
Q2 What do I need to do for Read-Only Domain Controllers (RODCs)?
A2 Nothing; LDAP Add and Modify operations cannot target RODCs.
Q3 I have a third-party product or process that fails after enabling Enforcement mode. Do I need to grant the service or user domain administrator rights?
A3 We generally do not recommend adding a service or user to the Domain Administrators group as the first solution to this issue. Examine the event logs to see what specific permission is required and consider delegating appropriately limited rights for that user on a separate Organizational Unit designated for that purpose.
Q4 I see the audit events also for LDS servers. Why is this happening?
A4 All of the above also applies to AD LDS, although it is very unusual to have computer objects in LDS. The mitigation steps should also be taken to enable the protection for AD LDS when Audit mode does not detect any unexpected privileges.
