Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0861 Updated Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing 11 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Active Directory Publisher: Microsoft Operating System: Windows Resolution: Patch/Upgrade Reference: ESB-2020.0454 Original Bulletin: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 Comment: Microsoft have announced that the March 10, 2020 security updates are now available. These updates add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. - --------------------------BEGIN INCLUDED TEXT-------------------- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing Security Advisory Published: 08/13/2019 | Last Updated : 03/10/2020 MITRE ADV190023 Executive Summary LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability. Microsoft is aware that when these default configurations are used, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS, which has not configured to require channel binding, and signing or sealing on incoming connections. Microsoft is addressing this vulnerability by providing recommendations for administrators to harden the configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers as follows: 1. In August 2019, Microsoft published ADV190023 with the following recommendations for settings: 1. LDAP signing to Require Signing in group policy. 2. Channel Binding Token (CBT) to 1 as a registry key or set the Domain controller: LDAP server channel binding token requirements group policy to When Supported after installing the March 10, 2020 updates. 2. On March 10, 2020, Windows updates will add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. The updates add: 1. Domain controller: LDAP server channel binding token requirements group policy. 2. CBT signing events 3039, 3040, and 3041 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log. Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers. Note that LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows. Recommended Actions Microsoft recommends that administrators configure LDAP signing and LDAP channel binding as recommended in Step One of the Executive Summary of this advisory and as described in detail in KB4520412: 2020 LDAP channel binding and LDAP signing requirement for Windows. How to get notified of updates to this advisory When the March 10, 2020 Windows updates become available, customers will be notified via a revision to this advisory. If you wish to be notified when these update are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. References See the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers: o KB4520412: 2020 LDAP channel binding and LDAP signing requirement for Windows o KB4034879: LDAP channel binding o KB935834: LDAP signing o KB4546509: Frequently asked questions about changes to Lightweight Directory Access Protocol FAQ Where can I find further answers to my questions? For a list of Frequently Asked Questions on LDAP channel binding and LDAP signing on Active Directory Domain Controllers, see KB4546509: Frequently asked questions about changes to Lightweight Directory Access Protocol. See also KB4520412: 2020 LDAP channel binding and LDAP signing requirement for Windows. CVE Description missing... Exploitability Assessment The following table provides an exploitability assessment for this vulnerability at the time of original publication. Publicly Exploited Latest Software Release Older Software Release Denial of Service Disclosed Yes No 2 - Exploitation Less Not Applicable 2 - Exploitation Not Not Not Likely Less Likely Applicable Applicable Applicable o Security Updates o CVSS Score Security Updates To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle. Product Platform Article Download Impact Severity Supersedence Windows 10 Version Security Defense 1607 for 32-bit 4540670 Update in 4537764 Systems 4540670 Security Depth Update Windows 10 Version Security Defense 1607 for x64-based 4540670 Update in 4537764 Systems 4540670 Security Depth Update Windows 10 Version Security Defense 1809 for 32-bit 4538461 Update in 4532691 Systems 4538461 Security Depth Update Windows 10 Version Security Defense 1809 for x64-based 4538461 Update in 4532691 Systems 4538461 Security Depth Update Windows 10 Version Security Defense 1903 for 32-bit 4540673 Update in 4532693 Systems 4540673 Security Depth Update Windows 10 Version Security Defense 1903 for ARM64-based 4540673 Update in 4532693 Systems 4540673 Security Depth Update Windows 10 Version Security Defense 1903 for x64-based 4540673 Update in 4532693 Systems 4540673 Security Depth Update Windows 10 Version Security Defense 1909 for 32-bit 4540673 Update in 4532693 Systems 4540673 Security Depth Update Windows 10 Version Security Defense 1909 for ARM64-based 4540673 Update in 4532693 Systems 4540673 Security Depth Update Windows 10 Version Security Defense 1909 for x64-based 4540673 Update in 4532693 Systems 4540673 Security Depth Update Monthly 4540688 Rollup 4540688 Monthly Defense Windows 7 for 32-bit Rollup in 4537820 Systems Service Pack 1 Security Depth 4541500 Only 4541500 Security Only Monthly 4540688 Rollup Windows 7 for 4540688 Monthly Defense x64-based Systems Rollup in 4537820 Service Pack 1 Security Depth 4541500 Only 4541500 Security Only Monthly 4541509 Rollup 4541509 Monthly Defense Windows 8.1 for 32-bit Rollup in 4537821 systems Security Depth 4541505 Only 4541505 Security Only Monthly 4541509 Rollup 4541509 Monthly Defense Windows 8.1 for Rollup in 4537821 x64-based systems Security Depth 4541505 Only 4541505 Security Only Monthly Defense Windows RT 8.1 4541509 Rollup in 4537821 4541509 Monthly Depth Rollup Monthly 4541506 Rollup Windows Server 2008 4541506 Monthly Defense for 32-bit Systems Rollup in 4537810 Service Pack 2 Security Depth 4541504 Only 4541504 Security Only Monthly 4541506 Rollup Windows Server 2008 4541506 Monthly Defense for 32-bit Systems Rollup in 4537810 Service Pack 2 (Server Security Depth Core installation) 4541504 Only 4541504 Security Only Monthly 4541506 Rollup Windows Server 2008 4541506 Monthly Defense for Itanium-Based Rollup in 4537810 Systems Service Pack 2 Security Depth 4541504 Only 4541504 Security Only Monthly 4541506 Rollup Windows Server 2008 4541506 Monthly Defense for x64-based Systems Rollup in 4537810 Service Pack 2 Security Depth 4541504 Only 4541504 Security Only Monthly 4541506 Rollup Windows Server 2008 4541506 Monthly Defense for x64-based Systems Rollup in 4537810 Service Pack 2 (Server Security Depth Core installation) 4541504 Only 4541504 Security Only Monthly 4540688 Rollup Windows Server 2008 R2 4540688 Monthly Defense for Itanium-Based Rollup in 4537820 Systems Service Pack 1 Security Depth 4541500 Only 4541500 Security Only Monthly 4540688 Rollup Windows Server 2008 R2 4540688 Monthly Defense for x64-based Systems Rollup in 4537820 Service Pack 1 Security Depth 4541500 Only 4541500 Security Only Monthly 4540688 Rollup Windows Server 2008 R2 4540688 Monthly Defense for x64-based Systems Rollup in 4537820 Service Pack 1 (Server Security Depth Core installation) 4541500 Only 4541500 Security Only Monthly 4541510 Rollup 4541510 Monthly Defense Windows Server 2012 Rollup in 4537814 Security Depth 4540694 Only 4540694 Security Only Monthly 4541510 Rollup Windows Server 2012 4541510 Monthly Defense (Server Core Rollup in 4537814 installation) Security Depth 4540694 Only 4540694 Security Only Monthly 4541509 Rollup 4541509 Monthly Defense Windows Server 2012 R2 Rollup in 4537821 Security Depth 4541505 Only 4541505 Security Only Monthly 4541509 Rollup Windows Server 2012 R2 4541509 Monthly Defense (Server Core Rollup in 4537821 installation) Security Depth 4541505 Only 4541505 Security Only Security Defense Windows Server 2016 4540670 Update in 4537764 4540670 Security Depth Update Windows Server 2016 Security Defense (Server Core 4540670 Update in 4537764 installation) 4540670 Security Depth Update Security Defense Windows Server 2019 4538461 Update in 4532691 4538461 Security Depth Update Windows Server 2019 Security Defense (Server Core 4538461 Update in 4532691 installation) 4538461 Security Depth Update Windows Server, Security Defense version 1903 (Server 4540673 Update in 4532693 Core installation) 4540673 Security Depth Update Windows Server, Security Defense version 1909 (Server 4540673 Update in 4532693 Core installation) 4540673 Security Depth Update CVSS Score The following software versions or editions that are affected have been scored against this vulnerability. Please read the CVSS standards guide to fully understand how CVSS vulnerabilities are scored, and how to interpret CVSS scores. Excel Icon Download Product Platform Scores Vector Base Temporal String Environmental Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows RT 8.1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2016 (Server Core installation) Windows Server 2019 Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server 2019 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server, version 1909 (Server Core installation) Mitigations Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. FAQ Acknowledgements Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See acknowledgements for more information. Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions Version Date Description 08/ Information published. 1.0 13/ 2019 Revised Recommended Actions section to provide customers with more 09/ detailed information about actions to take to make LDAP channel 1.1 09/ binding and LDAP signing on Active Directory Domain Controllers 2019 more secure. 12/ In the Recommended Actions section, updated the opening sentence 1.2 17/ to indicate that the Windows update will be available in March 2019 2020. In the Recommended Actions section, added information that details what will be included in the March 2020 updates to enable 02/ hardening LDAP Channel Binding and LDAP Signing. Included 1.3 04/ information about a future monthly update that will LDAP signing 2020 and channel binding on domain controllers configured with default values for those settings. These are informational changes only. The following revisions have been made: 1. Clarified the actions customers need to take to harden the configurations for LDAP channel binding and LDAP signing on Active Directory Domain 02/ Controllers. 2. In the References section, added a link to 1.4 28/ KB4546509: https://support.microsoft.com/en-us/help/4546509 - 2020 Frequently asked questions about changes to Lightweight Directory Access Protocol. 3. Updated the FAQ section to direct customers to KB4546509. Microsoft is announcing that the March 10, 2020 security updates are available that add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. These options are: 1. "Domain controller: LDAP server 03/ channel binding token requirements" group policy. 2. CBT signing 2.0 10/ events 3039, 3040, and 3041 with event source 2020 Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log. Note that these March 10, 2020 updates and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXmhkGmaOgq3Tt24GAQjKRBAAj0tI55DnmHX6aP6gGTjt4KkIy4xET47W M5ugd5/YjK0LYFD6d6F9WEQ2AdFstV4OlTitgMP2bKRyAEez7fF6x1wILrGUPgLj 5XI4te5TSNAuM87aa5UBHc8e9h9F+VjDQL8Y3tQuhNknZFoHsMFnWL056jJY7bDi JrNwS+qHS/ETrsCIP2G5JnWKLH4WKX4zuINF7X+n6cFqfdzv04IOCT4hvGbR8Nhz lh7/pL2QKJ7AZU7lTuakqouLD1ucZQmEaquzcxhwJVJB7taSurFffDvwHV1nrClk kwBb2IPH42dJd3KDxfisI/GBjj9NBAdXwAjEwvcE9zKDuOpmTRZy4HgPx1WMEBAa iaUoii0seAvQNWBD8s9abVqGZdtbJc7stUEKAxuZHiG2s1G3luT14Ga10liYKgZX BkFN6oKUMZK5/il6zS9QmfK/vME2dDVIfWuLxOUezWzVNsTWnAeMBKs2G7lxQJNb 1phI7WDDe62a192l7KUsS+4Gv9cuRFj/mpZ6kcCv/XdU0ZhOUMr/hsYG+wiIi+el 7kgHdQPon8PLfsnYS6BypVbnrEGp+QI+k/06KbC/kr4rbjIpinDomsYN5eLF+Bq1 OUT0xONh5YWvAdEu0e378quD/sqQDGeN8DbDrRVbbO06xEOizCTJuQevqIG+ga9S uLczHpmRUik= =giGL -----END PGP SIGNATURE-----