CVE-2021-42278: 
vulnerability analysis and mitigation

CVE-2021-42278 is a security bypass vulnerability in Active Directory Domain Services that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. The vulnerability was disclosed on November 9, 2021, affecting various versions of Windows Server including 2022, 2019, 2016, 2012 R2, 2012, 2008 R2, and 2008 Service Pack 2 (Microsoft Support).

The vulnerability stems from improper validation of computer account names in Active Directory environments. Computer account names should always end with a '$' character, but this requirement was not properly enforced. The vulnerability involves the sAMAccountName attribute, which can be manipulated to rename a computer account to a domain controller account name. This can be achieved by clearing the machine's servicePrincipalName attribute and modifying the sAMAccountName (Fortinet Blog).

The vulnerability is considered extremely severe as it allows any domain user to effectively escalate privileges to become a domain administrator under default conditions. When combined with CVE-2021-42287, this vulnerability enables unprivileged users to easily gain domain administrator access, potentially compromising the entire Active Directory environment (Fortinet Blog).

Microsoft has released security patches KB5008380 and KB5008602 to address this vulnerability. After installing the patches, Active Directory performs validation checks on the sAMAccountName and UserAccountControl attributes of computer accounts created or modified by non-administrator users. Failed validations are logged in the Directory-Services-SAM event IDs 16990 and 16991 in the System event log (Microsoft Support).