External risk intelligence

Windows LSA Spoofing Vulnerability Affects Server Systems

CVE advisoryKnown Exploit

CVE-2021-36942

Windows Server systems are affected by a spoofing vulnerability. Attackers can impersonate services, leading to unauthorized data access and potential business disruption. Organizations should apply vendor updates to mitigate this risk.

2Halo Surface Signal

Microsoft Windows Server 2004

before 10.0.19041.1165r2before 10.0.14393.4583before 10.0.17763.2114before 10.0.19042.1165

External exposure likelihood

Halo Surface Signal score for CVE-2021-36942

The vulnerability involves the Local Security Authority (LSA) RPC interface, which is an internal system component. While network-reachable within a domain environment, this interface is not intended for public internet exposure. It is typically accessed only by authorized internal systems and services, making direct public-facing exposure uncommon in standard, secure network configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Windows Server that could allow an attacker to impersonate legitimate system services. This flaw could enable unauthorized access to sensitive information or systems by tricking them into authenticating with a malicious server. The potential impact includes compromised data and disruption of business operations.

  • Windows Server operating systems
  • Spoofing of system services
  • Unauthorized access and data compromise

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to impersonate a system or user by exploiting the Windows Local Security Authority (LSA) interface. An unauthenticated attacker can coerce a domain controller to authenticate to a server they control using NTLM. This could lead to unauthorized access or data compromise within the network.

  • Network exposure required.
  • Attacker calls LSARPC interface.
  • Coerces domain controller to authenticate.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Microsoft Windows allows an attacker to impersonate a domain controller. This could result in unauthorized access and data exposure within the affected organization. While the exploit itself is not complex, it requires specific conditions to be met within the network.

  • Attackers need moderate skill.
  • Requires network access to the domain.
  • Business risk is significant.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Windows allows an unauthenticated attacker to compromise the Local Security Authority (LSA) on affected systems. Exploitation could lead to an attacker forcing a domain controller to authenticate to another server using NTLM. This could result in the disclosure of sensitive credentials.

  • Identify Windows systems.
  • Isolate systems from network access.
  • Apply vendor updates and verify.
  • Monitor for suspicious authentication activity.

Frequently asked questions

What is the Windows Server Local Security Authority (LSA) Spoofing Vulnerability (CVE-2021-36942)?

This vulnerability affects Microsoft Windows Server operating systems. It allows an attacker to impersonate legitimate system services by exploiting the Windows Local Security Authority (LSA) interface, potentially leading to unauthorized access to sensitive information or systems.

How does CVE-2021-36942 enable an attacker to spoof system services?

The vulnerability is a spoofing weakness. An unauthenticated attacker can exploit it by calling a method on the LSARPC interface, which can then coerce a domain controller to authenticate to a server controlled by the attacker using NTLM.

What are the conditions an attacker needs to exploit CVE-2021-36942?

An attacker needs network access to the domain. They exploit the Local Security Authority (LSA) Remote Procedure Call (RPC) interface. The vulnerability is not triggered if network access to this interface is restricted or unavailable.

Who should be concerned about the Windows LSA Spoofing Vulnerability?

Organizations running affected Windows Server versions should be concerned. The Halo Surface Signal indicates this vulnerability is unlikely to be directly internet-facing, but it can be exploited within a domain environment, posing a risk to internal systems.

What is the first step to address the Windows LSA Spoofing Vulnerability?

The initial step is to identify all Windows Server systems within your environment that may be affected. It is recommended to apply vendor updates as soon as possible and monitor for any unusual authentication activity on your network.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified