CVE-2022-21857: 
vulnerability analysis and mitigation

CVE-2022-21857 is an Active Directory Domain Services Elevation of Privilege Vulnerability that was disclosed on January 11, 2022. The vulnerability affects Microsoft Windows systems, specifically targeting Active Directory Domain Services and its trust relationships between domains and forests (Microsoft Learn, Rapid7).

The vulnerability relates to NTLM pass-through authentication requests sent by a trusting domain over a domain or forest trust, or sent by a read-only domain controller (RODC) over a secure channel trust. After the January 11, 2022 Windows updates, domain controllers enforce new security checks that require the domain or client being authenticated to be appropriate for the trust being used. The Primary Domain Controller (PDC) of the root domain in each forest is updated to perform trust scanning operations every eight hours to validate domain names in trusting forests (Microsoft Learn).

If exploited, this vulnerability could allow an attacker to achieve elevation of privilege through Active Directory Domain Services. The vulnerability has a CVSS score of 9.0, indicating critical severity, with potential for complete compromise of confidentiality, integrity, and availability of the affected systems (Rapid7).

Microsoft has released security updates to address this vulnerability. The fix requires installing the January 11, 2022 Windows updates or later updates. Organizations must ensure their configuration meets specific prerequisites, including proper firewall configurations (TCP and UDP ports 389, TCP port 88), appropriate access permissions, and proper trust relationships. The security of a forest is achieved once all domain controllers in all domains have the update installed and the PDC trust scanner has completed at least one successful operation (Microsoft Learn).