SusanBradley (3)
Last Login: November 23, 2020
SusanBradley's Latest (4) Contributions
Technical Analysis
Based on https://twitter.com/jakekarnes42/status/1329825159247642624
“The vulnerability impacts constrained delegation, which could be present in a single domain/forest. “
Note that the patch itself requires registry keys to be entered. Merely installing updates does not appear to protect the domain. There are issues introduced by this patch with Citrix and Federated Authentication service. (source https://twitter.com/mrgrayaz/status/1328517824633978912)
From “https://www.microsoft.com/security/blog/2020/10/07/best-practices-for-defending-azure-virtual-machines/” “If you are already allowing RDP access to your Azure VMs from the internet, you should check the configuration of your Network Security Groups. Find any rule that is publishing RDP and look to see if the Source IP Address is a wildcard (*). If that is the case, you should be concerned, and it’s quite possible that the VM could be under brute force attack right now.”
As a mitigation for on prem servers you can use duo.com (vendor that provides two factor to rdp connections) to protect RDP and the built in Microsoft firewall to limit access to certain IP addresses.
https://twitter.com/msftsecintel/status/1308941504707063808?s=11 Microsoft has confirmed that they are seeing attacks in the wild.
From the SANS ISC:
https://isc.sans.edu/forums/diary/CVE202016898+Windows+ICMPv6+Router+Advertisement+RRDNS+Option+Remote+Code+Execution+Vulnerability/26684/
Highlight
Do not disable IPv6 entirely unless you want to break Windows in interesting ways.
This can only be exploited from the local subnet.
But it may lead to remote code execution / BSOD
PoC exploit is easy, but actual RCE is hard.