“DFSCoerce” is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher Filip Dragovic, who also published a POC.
Filip’s tweet indicated this issue can be used even if you have disabled or filtered services that other currently known forced authentication issues such as PrinterBug/SpoolSample, PetitPotam, ShadowCoerce and RemotePotato0 are exploiting: “Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don’t worry MS-DFSNM have your back ;)”
A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can’t all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches…
Micropatch Availability
While this vulnerability has no official patch and could be considered a “0day”, Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.
The micropatch was written for the following Versions of Windows with all available Windows Updates installed:
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022 ..
|
There are isolated problems with current patches, but they are well-known and documented on this site. |
-
0Patch : Micropatching the “DFSCoerce” Forced Authentication Issue (No CVE)
- This topic has 3 replies, 3 voices, and was last updated 10 months, 3 weeks ago.
AuthorViewing 2 reply threadsAuthor-
A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can’t all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches…
What does this mean? Will there come “some attention” oneday?
Right now it looks like a usefull ∅Day
Do you have more info please?* _ the metaverse is poisonous _ * -
Do you have more info please?
0Patch blog post is quite comprehensive.
1 user thanked author for this post.
-
Viewing 2 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Windows 11 Insider Preview build 25375 released to Canary
by 1 hour, 19 minutes ago
-
Windows 11 Insider Preview Build 22621.1825 and 22624.1825 released to BETA
by 1 hour, 23 minutes ago
-
Duplicate image name brings up old images
by 1 day, 6 hours ago
-
XP offline activation tool, xp_activate32.exe
by 7 hours, 56 minutes ago
-
Huge Tesla leak reveals thousands of safety concerns, privacy problems
by 1 day, 11 hours ago
-
Android : iRecorder – Screen Recorder new Android RAT
by 1 day, 11 hours ago
-
HP has found an exciting new way to DRM your printer!
by 1 day, 11 hours ago
-
Outlook 2019 Resend “you do not appear to be the original sender…” msg
by 2 days, 2 hours ago
-
Wine update?
by 1 day, 1 hour ago
-
Issue with \windows\servicing\LCU\Package_for_rollupFix…
by 1 day, 8 hours ago
-
Java JDK 20 – Should I install it?
by 15 hours, 37 minutes ago
-
Windows 10 won’t boot on a new motherboard
by 1 day, 14 hours ago
-
Cannot Update Win 10 to 22H2 from 21H2
by 2 days, 12 hours ago
-
Microsoft : Saving or copying files might intermittently fail
by 2 days, 8 hours ago
-
Chinese Volt Typhoon hit US critical infrastructure sectors
by 1 day, 2 hours ago
-
EFF: How to Fix the Internet-People With Disabilities Are The Original Hackers
by 1 day, 22 hours ago
-
Windows 11 Insider Preview build 23466 released to DEV
by 3 days, 9 hours ago
-
Cannot Un-suspend tasks
by 3 days, 9 hours ago
-
Old Hardware
by 2 days, 15 hours ago
-
New ways to customize Chrome on your desktop
by 3 days, 19 hours ago
-
Microsoft ‘killed” WinRAR and 7-zip
by 3 days, 6 hours ago
-
Losing Wireless Identity
by 1 day, 7 hours ago
-
45 min for hackers to brute-force fingerprint authentication of android devices
by 4 days, 7 hours ago
-
Windows 11 Moments 3 coming May 24
by 3 days, 9 hours ago
-
How to make a portable app show up on the start menu?
by 2 days, 10 hours ago
-
Delete Key Misbehaving
by 4 days, 6 hours ago
-
KB5026363 not installing on one server
by 3 days, 23 hours ago
-
SanDisk Extreme SSDs keep abruptly failing—firmware fix for only some promised
by 19 hours, 35 minutes ago
-
MS-DEFCON 4: Skip those Secure Boot scripts
by 2 days, 15 hours ago
-
Can Forums emulate “Set Target Frame” in MS WORD?
by 4 days, 12 hours ago
