CVE-2021-42282: 
vulnerability analysis and mitigation

Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2021-42282) was disclosed on November 9, 2021. This vulnerability affects Microsoft Windows Server systems and their Active Directory Domain Services component. The vulnerability is unique from related issues CVE-2021-42278, CVE-2021-42287, and CVE-2021-42291 (NVD).

The vulnerability relates to the verification of uniqueness for user principal name (UPN) and service principal name (SPN) attributes in Active Directory. It specifically involves the verification of UPN and SPN uniqueness (new to Windows 8, Windows Server 2012, and earlier releases) and SPN alias uniqueness (new to all Windows versions). The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H from NVD, while Microsoft assigned it a score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow an attacker to gain elevated privileges in Active Directory Domain Services. The vulnerability affects the uniqueness verification of service principal names (SPNs) in a forest, which could lead to authentication issues and potential security bypasses. When SPNs are not unique, it effectively renders duplicate SPNs as unregistered, potentially impacting service authentication (Microsoft Support).

Microsoft released security updates on November 9, 2021, to address this vulnerability. The updates add verification mechanisms for UPN and SPN uniqueness. Organizations can control these verifications through the dSHeuristics attribute in Active Directory, though disabling these verifications is not recommended. The dSHeuristics attribute can be configured with different values to control the verification behavior, with the default setting enforcing all verifications (Microsoft Support).