CVE-2021-42287 - Active Directory Domain Services Elevation of Privilege Vulnerability
Microsoft has released security updates to address a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers. Vulnerability CVE-2021-42287 has been identified.
While this does not affect the LoadMaster directly, it can and has been observed to impact any LoadMaster that is currently using our Edge Security Pack (ESP) and also using Kerberos Constrained Delegation (KCD).
Authentication will fail, which will cause users to not be able to access the servers through the LoadMaster if using ESP with KCD server side authentication.
What Progress - Kemp is doing to address the situation
This is related to the Microsoft patch. Microsoft has since fixed their patch.
See Resolved issues in Windows 10, version 1809 and Windows Server 2019
Reference Authentication might fail on DCs with certain Kerberos delegation scenarios.
Microsoft is aware of the situation and addressing the issue outlined in this link.
Jon Leisten Microsoft, in my opinion, lists this issue as a Known Issue and other Microsoft partners were not previously informed of this either. Neither KEMP nor other providers were prepared for what Microsoft has implemented here in an update. Furthermore, not only providers of load balancers are affected, but also products from Microsoft itself. Therefore, I can only share your comment to a limited extent.
We are evaluating our options on how best to proceed. We did not know about this before hand. We are far from the only vendor affected as well, many of which are other load balancers. When an update is available, we will provide one.
Good Morning, Microsoft release on November 14, 2021—KB5008602, to solve this issue.
Are you going to check this?
Hello. We are aware of the patch from Microsoft and currently testing this out.
The following MS advisory may be helpful
Update on this. Microsoft has released a patch for 2012, 2016 and 2019. They have been confirmed to work with KCD ticket creation and the LoadMaster.
For further questions please open up a support ticket with our CS team.
Thank you for the update and confirmation.
"While this does not affect the LoadMaster directly, it can and has been observed to impact any LoadMaster that is currently using our Edge Security Pack (ESP) and also using Kerberos Constrained Delegation (KCD)."
Sorry, KEMP, that is one crappy deflective comment. KEMP tends to disown responsibility when security vulnerabilities are detected, whether directly in KEMP software or when it is closely tied to the systems that KEMP so closely integrates with.
The casual and non-specific language of this bulletin gives me little to no confidence in you and your product. We've deployed your ESP with KCD for certificate based email and you're saying if we patch, it's our tough cookies that mail to those devices will no longer work, but hey, at least you guys are keeping an eye on things, monitoring it all.
Aren't you guys a Microsoft partner? Doesn't that mean you get information about these updates before the rest of the world so you can make sure your products continue to work properly with the system for which you advertise their use? Does your bulletin mean you've just been sitting on your hands??? If you don't have at least an update for all your customers in the next 48 hours, if not an outright fix, you've likely lost us as a customer. We won't be able to risk sticking with KEMP...