Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

CVE-2021-42287 - Active Directory Domain Services Elevation of Privilege Vulnerability

Summary

Microsoft has released security updates to address a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.  Vulnerability CVE-2021-42287 has been identified.

While this does not affect the LoadMaster directly, it can and has been observed to impact any LoadMaster that is currently using our Edge Security Pack (ESP) and also using Kerberos Constrained Delegation (KCD).  

Impact

Authentication will fail, which will cause users to not be able to access the servers through the LoadMaster if using ESP with KCD server side authentication.

What Progress - Kemp is doing to address the situation

We are evaluating and supporting our customers through any impact and will advise on further updates.

Additional information

Microsoft is aware of the situation and addressing the issue outlined in this link.  

 


Comments

Avatar

Jon Leisten

"While this does not affect the LoadMaster directly, it can and has been observed to impact any LoadMaster that is currently using our Edge Security Pack (ESP) and also using Kerberos Constrained Delegation (KCD)."

Sorry, KEMP, that is one crappy deflective comment. KEMP tends to disown responsibility when security vulnerabilities are detected, whether directly in KEMP software or when it is closely tied to the systems that KEMP so closely integrates with.

The casual and non-specific language of this bulletin gives me little to no confidence in you and your product.  We've deployed your ESP with KCD for certificate based email and you're saying if we patch, it's our tough cookies that mail to those devices will no longer work, but hey, at least you guys are keeping an eye on things, monitoring it all.

Aren't you guys a Microsoft partner?  Doesn't that mean you get information about these updates before the rest of the world so you can make sure your products continue to work properly with the system for which you advertise their use?  Does your bulletin mean you've just been sitting on your hands???  If you don't have at least an update for all your customers in the next 48 hours, if not an outright fix, you've likely lost us as a customer.  We won't be able to risk sticking with KEMP...

0

Avatar

Patrick Acker

Jon Leisten Microsoft, in my opinion, lists this issue as a Known Issue and other Microsoft partners were not previously informed of this either. Neither KEMP nor other providers were prepared for what Microsoft has implemented here in an update. Furthermore, not only providers of load balancers are affected, but also products from Microsoft itself. Therefore, I can only share your comment to a limited extent.

0

Avatar

Nick Smylie

Jon Leisten

We are evaluating our options on how best to proceed.  We did not know about this before hand.  We are far from the only vendor affected as well, many of which are other load balancers.  When an update is available, we will provide one.

0

Avatar

Kemper

Good Morning, Microsoft release on November 14, 2021—KB5008602, to solve this issue.
Are you going to check this?

Kindest Regards

Thorsten

0

Avatar

Nick Smylie

Hello.  We are aware of the patch from Microsoft and currently testing this out.

0


Avatar

Nick Smylie

Update on this.  Microsoft has released a patch for 2012, 2016 and 2019.  They have been confirmed to work with KCD ticket creation and the LoadMaster.

For further questions please open up a support ticket with our CS team.

0

Avatar

Jon Leisten

Thank you for the update and confirmation.

0