CVE-2021-42287

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server versions prior to the patchday that contains the fix for the vulnerability

Description The issue is related to an elevation-of-privilege vulnerability in Microsoft Active Directory Domain Services. This vulnerability is associated with insecure privilege management, which can be exploited by a remote attacker to elevate their privileges. The vulnerability is linked to the Privilege Attribute Certificate (PAC) in the Kerberos authentication protocol, which stores additional user authorization information. Microsoft updated the PAC by adding two new data structures, PAC ATTRIBUTES INFO and PAC REQUESTOR, to address this issue. The PAC REQUESTOR structure checks the username in the ticket, which is resolved to a SID included in the PAC. As a result, any ticket without the new PAC structure (or a ticket for a non-existent user) will be rejected if the update is installed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.