CVE-2021-36949: Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability

Overview

Severity

High (CVSS 7.1)

CVSS Vector

CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Aug

Released

2021-08-10

Last Updated

2021-08-10

EPSS Score

0.79% (percentile: 73.9%)

FAQ

What should I do to be protected against this vulnerability? In addition to applying the updates in this CVE, you will need to disable NTLM as per the guidance as follows: For Azure Active Directory Connect, see Prerequisites for Azure AD Connect For Azure Active Directory Connect Provisioning Agent, see Prerequisites for Azure AD Connect cloud sync What must an attacker do to exploit this vulnerability The attacker must be able to establish Man-in-the-middle between your Azure AD Connect server and a domain controller. The attacker also needs to possess domain user credentials to be able to exploit this vulnerability.

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (3)

Other

• 11920
• 11922
• 11919

Security Updates (3)

• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Sagi Sheinfeld with <a href="https://www.crowdstrike.com/">Crowdstrike</a>, Eyal Karni with <a href="https://www.crowdstrike.com/">Crowdstrike</a>, <a href="https://twitter.com/yaronzi">Yaron Zinar</a> with <a href="https://www.crowdstrike.com/">CrowdStrike</a>

Revision History

• 2021-08-10: Information published.
• 2021-08-10: The following revisions have been made: 1) In the Security Updates table, added Azure Active Directory Connect Provisioning Agent as it is also affected by this vulnerability 2) Updated FAQs.