CVE-2021-42287: 
vulnerability analysis and mitigation

CVE-2021-42287 is a critical Active Directory Domain Services Elevation of Privilege vulnerability discovered in November 2021. This security bypass vulnerability affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers. The vulnerability impacts multiple Windows Server versions, including Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, and 2019 (Microsoft Support).

The vulnerability allows a compromised domain account to cause the Key Distribution Center (KDC) to create a service ticket with a higher privilege level than that of the compromised account. This is achieved by preventing the KDC from identifying which account the higher privilege service ticket is for. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H from NIST NVD, while Microsoft assigned it a score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability enables any domain user to effectively become a domain administrator under default conditions. When exploited, an unprivileged user can escalate their privileges to domain administrator in less than 60 seconds, making this vulnerability extremely severe. The exploit allows attackers to bypass security controls and gain unauthorized administrative access to the domain (Fortinet).

Microsoft released security updates (KB5008380) on November 9, 2021, to address this vulnerability. The mitigation process requires updating all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs). Organizations are strongly advised to enable Enforcement mode on all Active Directory domain controllers after installing the November 9, 2021 security update and the November 14, 2021 out-of-band update for at least 7 days (Microsoft Support).