CVE-2021-36942: 
vulnerability analysis and mitigation

CVE-2021-36942, known as the Windows LSA Spoofing Vulnerability, is a critical security flaw that affects Microsoft Windows Active Directory Certificate Services (AD CS). The vulnerability was discovered and disclosed in July 2021, affecting multiple versions of Windows Server including 2008, 2012, 2016, and 2019 (NVD).

The vulnerability involves the Encrypting File System Remote (EFSRPC) protocol, specifically the EfsRpcOpenFileRaw function, which can be exploited to force Windows hosts to authenticate to other machines. The vulnerability has a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

This vulnerability can allow an attacker to leverage NTLM authentication information to potentially compromise the entire Active Directory infrastructure. When exploited, it enables an attacker on any domain-joined system to obtain a certificate that can be used to acquire a Ticket Granting Ticket (TGT), leading to a 'Golden Ticket' attack scenario (CERT VU).

Microsoft released security updates to address this vulnerability by blocking the unauthenticated EfsRpcOpenFileRaw API call exposed through the LSARPC interface. Additional mitigations include enabling Extended Protection for Authentication (EPA), requiring SSL on AD CS systems, disabling incoming NTLM on AD CS servers, and implementing RPC filters to block EFSRPC functionality (CERT VU).