Vulnerability identifier: #VU98219
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-636
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Windows
Operating systems & Components /
Operating system
Windows Server
Operating systems & Components /
Operating system
Vendor:
Description
The vulnerability allows a remote user to escalate privileges in Active Directory domain.
The vulnerability exists due to the way the Remote Registry client handles RPC authentication during certain fallback scenarios when SMB transport is unavailable. A remote user can authenticated against the AD server, intercept the NTLM authentication handshake from the client and forward it to another service, such as the (ADCS), and create a new domain administrator.
Successful exploitation of the vulnerability may allows a domain user to take over the entire AD.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43532
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.