KB5008383—Active Directory permissions updates (CVE-2021-42291)
CVE-2021-42291 addresses a security bypass vulnerability that allows certain users to set arbitrary values on security-sensitive attributes of specific objects stored in Active Directory (AD). To exploit this vulnerability, a user must have sufficient privileges to create a computer account, such as a user granted CreateChild permissions for computer objects. That user could create a computer account using a Lightweight Directory Access Protocol (LDAP) Add call that allows overly permissive access to the securityDescriptor attribute. Additionally, creators and owners can modify security-sensitive attributes after creating an account.
Mitigations in CVE-2021-42291 consist of:
Additional authorization verification when users without domain administrator rights attempt an LDAP Add operation for a computer-derived object. This includes an Audit-By-Default mode that audits when such attempts occur without interfering with the request and an Enforcement mode that blocks such attempts.
Temporary removal of the Implicit Owner privileges when users without domain administrator rights attempt an LDAP Modify operation on the securityDescriptor attribute. A verification occurs to confirm if the user would be allowed to write the security descriptor without Implicit Owner privileges. This also includes an Audit-By-Default mode that audits when such attempts occur without interfering with the request and an Enforcement mode that blocks such attempts.
Microsoft has published KB5008383—Active Directory permissions updates (CVE-2021-42291) for Windows Server 2022, Windows Server 2019, Windows Server 2016 all editions, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Service Pack 2.