Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

December 7, 2023 at 05:20PM

Akamai researchers found vulnerabilities in Microsoft’s Active Directory domains allowing attackers to spoof DNS records and access stored secrets without needing credentials. Despite reporting the issues, Microsoft isn’t planning repairs. Many networks are at risk, but a detection tool and mitigation advice have been provided by Akamai.

**Meeting Takeaways:**

1. **Security Threat Identified**: Akamai security researchers have discovered attacks that could target Microsoft Active Directory domains, allowing attackers to spoof DNS records and compromise Active Directory, potentially accessing sensitive data stored within.

2. **Vulnerability in Default Configurations**: The identified attacks exploit vulnerabilities in the default configuration of Microsoft’s DHCP servers, where no credentials are needed to carry out the attack.

3. **Microsoft’s Response**: Microsoft has been informed of the issues by Akamai but currently has no plans to fix them. Microsoft has yet to respond to inquiries regarding this matter from The Register.

4. **Prevalence of the Vulnerability**: A significant number of organizations, approximately 40% of the networks Akamai monitors, are running the vulnerable DHCP configuration and are, therefore, at risk.

5. **Tool for Detection**: Akamai has provided a tool that system administrators can use to check for at-risk configurations.

6. **Future Disclosure of Attack Methods**: Akamai plans to publish code demonstrating how the DHCP DNS spoof attacks (DDSpoof) work, although technical details or proof-of-concept exploits have not yet been provided.

7. **Explanation of the Vulnerability**: The exploit involves misusing DHCP DNS Dynamic Updates, a feature that does not require authentication, allowing attackers to modify or add DNS records and access the ADIDNS zone unauthorized.

8. **Extent of the Problem**: The DHCP servers on domain controllers, present in 57% of the networks monitored by Akamai, are reportedly all vulnerable by default.

9. **Additional Concerns**: Another feature found to pose a security risk is DNSUpdateProxy, alongside a potential bug where DNS records created by its members are also vulnerable, as they can be ‘stolen’ by any authenticated user.

10. **Recommendations**: Until Microsoft addresses these vulnerabilities, Akamai advises disabling DHCP DNS Dynamic Updates and avoiding the use of DNSUpdateProxy. They suggest using the same DNS credentials across all DHCP servers instead.

11. **Waiting for Microsoft’s Input**: Further updates are expected if and when Microsoft responds to the reported issues.

Full Article