全站搜索

Active Directory Domain Services权限提升漏洞 (CVE-2022-26923) 风险通告

分类:漏洞通告 1071
近日,武汉明嘉信安全研究团队关注到Active Directory Domain Services权限提升漏洞 (CVE-2022-26923),当Active Directory证书服务在域上运行时,经过身份验证的攻击者可以在证书请求中包含特制的数据,然后从Active Directory证书服务中获取允许提升权限的证书,并将域中普通用户权限提升为域管理员权限。

明嘉信“阿努纳奇”安全实验室团队成员第一时间进行漏洞复现,复现过程如下:

使用certipy请求证书:

影响版本

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 11 for ARM64-based Systems

Windows 11 for x64-based Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

修复建议:

防御 CVE-2022-26923

最好的做法是应用Microsoft 发布的补丁:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923

除此之外,您还可以采取其他一些安全措施:

确保您的证书模板受到限制。仅在需要时才允许机器和用户自动注册。否则,通过安全配置,可以减少这些模板的权限。

如果没有允许用户将主机注册到 AD 的商业案例,请将所有不应注册新主机的帐户的 MS-DS-Machine-Account-Quota 属性更改为 0。

然而,这并不能解决问题,因为攻击者只需获得对单个加入域的主机的管理访问权限,就可以执行证书请求。

上一篇: 下一篇:
相关推荐
X