• 0Patch : Micropatching the “DFSCoerce” Forced Authentication Issue (No CVE)

    Home » Forums » Admin IT Lounge » Admin IT Lounge – Miscellaneous » 0Patch : Micropatching the “DFSCoerce” Forced Authentication Issue (No CVE)

    Author
    Topic
    #2458135

    https://blog.0patch.com/

    “DFSCoerce” is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher Filip Dragovic, who also published a POC.

    Filip’s tweet indicated this issue can be used even if you have disabled or filtered services that other currently known forced authentication issues such as PrinterBug/SpoolSample, PetitPotam, ShadowCoerce and RemotePotato0 are exploiting: “Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don’t worry MS-DFSNM have your back ;)”

    A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can’t all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches…

    Micropatch Availability

    While this vulnerability has no official patch and could be considered a “0day”, Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.

    The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016
    Windows Server 2019
    Windows Server 2022 ..

    Viewing 2 reply threads
    Author
    Replies
    • #2458145

      A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can’t all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches…

      What does this mean? Will there come “some attention” oneday?
      Right now it looks like a usefull ∅Day
      Do you have more info please?

      * Is this a fact: "foreignpolicy.com/2022/04/25/the-real-threat-to-social-media-is-europe", Really? * get out of the poisonous Metaverse *
      • This reply was modified 1 month, 1 week ago by Fred.
    • #2458147

      Do you have more info please?

      0Patch blog post is quite comprehensive.

      1 user thanked author for this post.
    • #2458175

      Right now it looks like a usefull ∅Day

      This is only applicable in business / corporate where an Active Directory network is in use.
      Not an issue for home / SOHO users.

      cheers, Paul

    Viewing 2 reply threads
    Reply To: 0Patch : Micropatching the “DFSCoerce” Forced Authentication Issue (No CVE)

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: