Reports of Active Directory Vulnerability Allowing DNS Record Spoofs to Steal Secrets

Long-time Slashdot reader jd writes: The Register is reporting that Akamai security researchers have found a way to hack Active Directory and obtain the information stored within it. The researchers go on to say that Microsoft is NOT planning to fix the vulnerability.
From the article: While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof — short for DHCP DNS Spoof.

'We will show how unauthenticated attackers can collect necessary data from DHCP servers, identify vulnerable DNS records, overwrite them, and use that ability to compromise AD domains,' Akamai security researcher Ori David said.

The DHCP attack research builds on earlier work by NETSPI's Kevin Roberton, who detailed ways to exploit flaws in DNS zones.

Of course they're not

[Voyager529]

...because the fix is in AzureAD.

Re:Of course they're not

[Baron_Yam]

Having the Internet is nice, but I don't think I'll ever get over having on-prem. I want to know where my server is, I want physical control, and I don't want to depend on my ISP to connect me to it. Off site backup, sure. But if your business model isn't already dependent on the Internet, don't make it that way by making your supporting technology dependent on it.

If you're too small for an IT department, you can contract that service out, but you should still have your critical hardware on site. Needing Azure to log in to your systems is just an extra risk factor.

Then again, whenever you can you should be using something other than Microsoft products since there are a lot of good alternatives out there that are more reliable and less expensive. They just don't have the branding. For me, MS is for work and Linux is for home. They're not THAT different, if you're technically inclined enough to be competent with one, you can do the same for another.

Re:

[tlhIngan]

Having be both is useful, actually.

AzureAD lets you ship a laptop off to someone WFH and all they do is log in, no pesky VPN setup is required for them. On prem is handy for having quick access for those in the office.

My old workplace had that set up - it saved the annoying habit of password changes having to be done in the office (because it's always a crapshoot if the VPN would let you do it from your PC at home). Sometimes we had a terminal server whose only job is to let people remote into it and change

Re:

[whoever57]

I mean, unless people have been putting their AD servers on the Internet but even so, do they not require a VPN to access resources that would be hosted by DHCP/DNS?

Have you not heard of the latest hotness: Zero trust networks?

Re:

[Anonymous Coward]

Of course, I'm not exactly sure what the point is, because if you want to DHCP DNS spoof, you generally have to log into the VPN so you can access work resources. I mean, unless people have been putting their AD servers on the Internet but even so, do they not require a VPN to access resources that would be hosted by DHCP/DNS?

This is for an on-prem attack.

Don't forget that it was only with Windows Server 2022 that a brand new AD deployment no longer grants "Domain Computer" full write access to the domains DNS zone.

Server 2019 still defaulted to allow this, because it had to be forest level compatible with Server 2008 in order to migrate from Win 7 to 10.
Forest version 2008 didn't particularly handle real service accounts too well, and DHCPd did not create or use one.

That was the problem. Win 7 networks, and Win 10 networks tha

Re:

[phantomfive]

They just don't have the branding. For me, MS is for work and Linux is for home.

For some of us, Linux is for work and also for home. Even if you use Azure, Linux is more popular. [zdnet.com]

Re:

[gweihir]

Incompetente? Greed? Outright maliciousness?
Well, it is MicroShit, so probably all three.
Oh, and putting even more eggs into the Azure basket is such a splendid idea.

Re:

[mysidia]

The fix is remove DHCP from your Windows servers, and configure Dnsmasq on a Linux server.

Details

[sjames]

I dug a bit for the details and it's worse than I thought. You can get any name you want by requesting an IP address from the DHCP server. That's it, just ask and you shall receive! What the HELL Microsoft?!?

Re:Details

[codebase7]

I dug a bit for the details and it's worse than I thought. You can get any name you want by requesting an IP address from the DHCP server. That's it,

That's literally part of RFC 2131 made in 1997 [rfc-editor.org]. Further, that same RFC [rfc-editor.org] acknowledges that malicious clients may do exactly the thing described above.

What the HELL Microsoft?!?

More like what the HELL netop? This type of "attack" has been known for decades now, and there are mitigations for it. Knowing what they are and how to implement them is a netop's job. Not Microsoft's. Akamai (being a CDN, cloud-services and security research group) should know better than this. (As should /. for that matter.)

Also, what the HELL 4-digit UID? You should know better than this as well.....

Re:

[codebase7]

*Addendum:* This is what I get for relying on a 4-digit UID.....

According to TFA the "issue" at hand is dynamic DNS updates in AD. Specifically that by default AD enables domain computers to update their IP addresses in AD (and thus AD's internal DNS server) automatically. However TFA fails to acknowledge that the IPs in a default installation can only be updated by the machine itself in this manner. Through it's machine account in AD, which requires being able to authenticate to AD as said machine. (Tech

Re:Details

[sjames]

Silly me, rather than rely on a slightly confused article from the press, I went and read the actual write-up by the discoverer./s

Yes, updating the DDNS normally requires authentication. That's why you need a bypass which is what the publication that TFA referred to was talking about.

Re:

[sjames]

Wow, that's a great example of confidently wrong! You have conflated standard old DHCP (defined in the various RFCs) with Microsoft's idea of dynamic DNS and giving DHCP carte blanche to change DNS (defined only by Microsoft). But surely that red face should have cooled off enough by now to mumble a word of two of apology for being insulting while you were confidently wrong.