Active Directory vulnerability could allow privilege escalation
Report ID: MS201111004
Date Published: 10 November 2011
Compromise Type: privilege-escalation
Compromise From: remote
Active Directory Application Mode (ADAM)
Active Directory Lightweight Directory Service (AD LDS)
A vulnerability in Active Directory could allow an attacker to access network resources or execute code with authorized user privileges.
Microsoft has issued a security update that addresses a vulnerability reported in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). Systems with Active Directory installed and configured to use Lightweight Access Directory Protocol (LDAP) over SSL (LDAPS) are at highly at risk.
The cause of the vulnerability is Active Directory's failure to validate the revocation status of an SSL certificate, allowing the certificate to be accepted as valid. An attacker could take advantage of this condition to gain authentication to Active Directory domain using a revoked certificate assocaiated with a valid account on the domain. Upon successful exploitation, the attacker could be able to access network resources or run code with authorized user privileges.
The issued security update patches this vulnerability by correcting the way that Active Directory verifies certificate against the Certification Revocation List (CRL). As a protection from potential exploit, users are recommended to install this latest update.
Install the latest security patch for applicable component, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms11-086)