check before: 2022-04-14
Product:
Office 365 general, Windows
Platform:
World tenant
Status:
Change type:
Admin impact
Links:
Details:
CVE-2021-42287, created November 2021, tracks a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate Domain Controllers (DCs). Windows Updates dated November 9, 2021 or later address this vulnerability. The improved authentication process in CVE-2021-42287 adds new information about the original requestor to the PACs of Kerberos Ticket-Granting Tickets (TGT). In 2022, further security enforcement will be released, and steps might be necessary to ensure continued compatibility in your environment, while keeping systems protected. Detailed guidance has been made available in KB5008380 - Authentication updates (CVE-2021-42287).
When will this happen:
Starting with the July 12, 2022 update, new security enforcement will be enabled on all Windows DCs and will be required. Leading up to this July date, Windows Updates are being released in the below timing:
November 9, 2021: Initial deployment phase – A new registry key titled PacRequestorEnforcement is created, allowing users to preview upcoming security levels early.
April 12, 2022: Second deployment phase – Removal of the ability to disable the PacRequestorEnforcement key via a value of 0. The DCs will be in “Deployment mode”.
July 12, 2022: Enforcement phase - Active Directory domain controllers enter “Enforcement mode”, removing the PacRequestorEnforcement key completely.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2022-02-11
updated:
2022-08-27
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
** AI generated content. This information is not reliable.
the free basic plan is required to see all details. Sign up here
change history
| Date | Property | old | new |
| 2022-09-15 | MC prepare | Review and complete the steps detailed at KB5008380 - Authentication updates (CVE-2021-42287) to protect environments and avoid outages.
Additional information: Please refer to the below links for detailed guidance. KB5008380 - Authentication updates (CVE-2021-42287) CVE-2021-42287: Active Directory Domain Services Elevation of Privilege Vulnerability ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 ps://support.microsoft.com/help/500838 | Review and complete the steps detailed at KB5008380 - Authentication updates (CVE-2021-42287) to protect environments and avoid outages.
Additional information: Please refer to the below links for detailed guidance. KB5008380 - Authentication updates (CVE-2021-42287) CVE-2021-42287: Active Directory Domain Services Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 https://support.microsoft.com/help/5008380 |
| 2022-08-27 | MC prepare | Review and complete the steps detailed at KB5008380 - Authentication updates (CVE-2021-42287) to protect environments and avoid outages.
Additional information: Please refer to the below links for detailed guidance. KB5008380 - Authentication updates (CVE-2021-42287) CVE-2021-42287: Active Directory Domain Services Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 https://support.microsoft.com/help/5008380 | Review and complete the steps detailed at KB5008380 - Authentication updates (CVE-2021-42287) to protect environments and avoid outages.
Additional information: Please refer to the below links for detailed guidance. KB5008380 - Authentication updates (CVE-2021-42287) CVE-2021-42287: Active Directory Domain Services Elevation of Privilege Vulnerability ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 ps://support.microsoft.com/help/500838 |
Last updated 1 year ago ago
