Akamai warns that many networks are at risk of attacks that can spoof DNS records and steal secrets from Active Directory, and Microsoft is not going to fix this flaw.
Security experts from Akamai have discovered a serious threat in Microsoft Active Directory systems. Attacks targeting these systems can allow attackers to forge DNS records, compromise Active Directory, and steal its stored secrets.
The attacks are particularly dangerous for servers running in the standard Microsoft Dynamic Host Configuration Protocol (DHCP) configuration. It is noteworthy that their implementation does not require user credentials.
Akamai reported the problem to Microsoft, but the latter, according to sources, does not plan to fix this flaw. Microsoft has not yet responded to requests from journalists about this.
While there are no reports yet of servers being affected by such an attack, Akamai experts warn that many organizations may be vulnerable, given that 40% of the thousands of networks monitored by Akamai use the vulnerable Microsoft DHCP configuration.
In addition, Akamai has provided a tool for system administrators to help detect vulnerable configurations.
Akamai researchers, including Ori David, revealed that hackers have the ability to extract information from DHCP servers, identify DNS records at risk, modify them, and thus disrupt the operation of Active Directory domains. These conclusions are based on previous studies of such vulnerabilities.
The problem is that updating DNS records via DHCP does not require client authentication. This allows attackers to use a DHCP server to authenticate to the DNS server without any credentials.
In addition to creating non-existent DNS records, attackers can overwrite existing data, including DNS records in the ADI zone, especially if the DHCP server is installed on the domain controller. According to Akamai, this happens in 57% of the networks they track.
Experts urge organizations to disable the DHCP DNS Dynamic Updates feature and avoid using the DnsUpdateProxy group to minimize risks.
Security experts from Akamai have discovered a serious threat in Microsoft Active Directory systems. Attacks targeting these systems can allow attackers to forge DNS records, compromise Active Directory, and steal its stored secrets.
The attacks are particularly dangerous for servers running in the standard Microsoft Dynamic Host Configuration Protocol (DHCP) configuration. It is noteworthy that their implementation does not require user credentials.
Akamai reported the problem to Microsoft, but the latter, according to sources, does not plan to fix this flaw. Microsoft has not yet responded to requests from journalists about this.
While there are no reports yet of servers being affected by such an attack, Akamai experts warn that many organizations may be vulnerable, given that 40% of the thousands of networks monitored by Akamai use the vulnerable Microsoft DHCP configuration.
In addition, Akamai has provided a tool for system administrators to help detect vulnerable configurations.
Akamai researchers, including Ori David, revealed that hackers have the ability to extract information from DHCP servers, identify DNS records at risk, modify them, and thus disrupt the operation of Active Directory domains. These conclusions are based on previous studies of such vulnerabilities.
The problem is that updating DNS records via DHCP does not require client authentication. This allows attackers to use a DHCP server to authenticate to the DNS server without any credentials.
In addition to creating non-existent DNS records, attackers can overwrite existing data, including DNS records in the ADI zone, especially if the DHCP server is installed on the domain controller. According to Akamai, this happens in 57% of the networks they track.
Experts urge organizations to disable the DHCP DNS Dynamic Updates feature and avoid using the DnsUpdateProxy group to minimize risks.
