Attacks Abuse Microsoft DHCP to Spoof DNS Records and Steal Secrets

by
hubie
from SoylentNews on (#6H30S)

upstart writes:

Akamai says it reported the flaws to Microsoft. Redmond shrugged:

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers.

We're told the attacks - which are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers - don't require any credentials.

Akamai says it reported the issues to Redmond, which isn't planning to fix the issue. Microsoft did not respond to The Register's inquiries.

[...] DHCP is a commonly used network management protocol, and Microsoft's DHCP server is widely used in corporate networks. Organizations can create DNS record using a DHCP feature called DHCP DNS Dynamic Updates.

"Whenever a client is given an IP address by the DHCP server, the latter can contact the DNS server and update the client's DNS record," Akamai's Ori David explained.

When the DHCP server registers or modifies a DNS record on behalf of its clients, it uses DNS Dynamic Updates - and therein lies the problem. DHCP DNS Dynamic Updates does not require any authentication by the DHCP client, and Microsoft DHCP servers enable DHCP DNS Dynamic Updates by default.

"So an attacker can essentially use the DHCP server to authenticate to the DNS server on behalf of themself," David said. "This grants the attacker access to the ADIDNS zone without any credentials."

[...] In addition to creating non-existent DNS records, unauthenticated attackers can also use the DHCP server to overwrite existing data, including DNS records inside the ADI zone in instances where the DHCP server is installed on a domain controller, which David says is the case in 57 percent of the networks Akamai monitors.

"All these domains are vulnerable by default," he wrote. "Although this risk was acknowledged by Microsoft in their documentation, we believe that the awareness of this misconfiguration is not in accordance with its potential impact."

[...] "Use the same DNS credential across all your DHCP servers instead," is the advice.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments