-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0861
       Updated Microsoft Guidance for Enabling LDAP Channel Binding
                             and LDAP Signing
                               11 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Active Directory
Publisher:         Microsoft
Operating System:  Windows
Resolution:        Patch/Upgrade

Reference:         ESB-2020.0454

Original Bulletin: 
   https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Comment: Microsoft have announced that the March 10, 2020 security updates
         are now available. These updates add options for administrators to harden the
         configurations for LDAP channel binding on Active Directory domain controllers.

- --------------------------BEGIN INCLUDED TEXT--------------------

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP
Signing

Security Advisory

Published: 08/13/2019 | Last Updated : 03/10/2020
MITRE ADV190023

Executive Summary

LDAP channel binding and LDAP signing provide ways to increase the security for
communications between LDAP clients and Active Directory domain controllers. A
set of unsafe default configurations for LDAP channel binding and LDAP signing
exist on Active Directory domain controllers that let LDAP clients communicate
with them without enforcing LDAP channel binding and LDAP signing. This can
open Active Directory domain controllers to an elevation of privilege
vulnerability.

Microsoft is aware that when these default configurations are used, an
elevation of privilege vulnerability exists in Microsoft Windows that could
allow a man-in-the-middle attacker to successfully forward an authentication
request to a Windows LDAP server, such as a system running AD DS, which has not
configured to require channel binding, and signing or sealing on incoming
connections.

Microsoft is addressing this vulnerability by providing recommendations for
administrators to harden the configurations for LDAP channel binding and LDAP
signing on Active Directory domain controllers as follows:

 1. In August 2019, Microsoft published ADV190023 with the following
    recommendations for settings:

     1. LDAP signing to Require Signing in group policy.
     2. Channel Binding Token (CBT) to 1 as a registry key or set the Domain
        controller: LDAP server channel binding token requirements group policy
        to When Supported after installing the March 10, 2020 updates.
 2. On March 10, 2020, Windows updates will add options for administrators to
    harden the configurations for LDAP channel binding on Active Directory
    domain controllers. The updates add:

     1. Domain controller: LDAP server channel binding token requirements group
        policy.
     2. CBT signing events 3039, 3040, and 3041 with event source
        Microsoft-Windows-ActiveDirectory_DomainService in the Directory
        Service event log.

Important The March 10, 2020 and updates in the foreseeable future will not
make changes to LDAP signing or LDAP channel binding policies or their registry
equivalent on new or existing domain controllers.

Note that LDAP signing Domain controller: LDAP server signing requirements
policy already exists in all supported versions of Windows.

Recommended Actions

Microsoft recommends that administrators configure LDAP signing and LDAP
channel binding as recommended in Step One of the Executive Summary of this
advisory and as described in detail in KB4520412: 2020 LDAP channel binding and
LDAP signing requirement for Windows.

How to get notified of updates to this advisory

When the March 10, 2020 Windows updates become available, customers will be
notified via a revision to this advisory. If you wish to be notified when these
update are released, we recommend that you register for the security
notifications mailer to be alerted of content changes to this advisory. See
Microsoft Technical Security Notifications.

References

See the following Microsoft Knowledge Base articles for detailed guidance on
how to enable LDAP channel binding and LDAP signing on Active Directory domain
controllers:

  o KB4520412: 2020 LDAP channel binding and LDAP signing requirement for
    Windows
  o KB4034879: LDAP channel binding
  o KB935834: LDAP signing
  o KB4546509: Frequently asked questions about changes to Lightweight
    Directory Access Protocol

FAQ

Where can I find further answers to my questions?

For a list of Frequently Asked Questions on LDAP channel binding and LDAP
signing on Active Directory Domain Controllers, see KB4546509: Frequently asked
questions about changes to Lightweight Directory Access Protocol. See also
KB4520412: 2020 LDAP channel binding and LDAP signing requirement for Windows.

CVE Description missing...

                                              Exploitability Assessment

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly  Exploited Latest Software Release Older Software Release Denial of Service
Disclosed
Yes       No        2 - Exploitation Less   Not Applicable         2 - Exploitation  Not        Not        Not
                    Likely                                         Less Likely       Applicable Applicable Applicable

  o Security Updates
  o CVSS Score

                               Security Updates

To determine the support life cycle for your software version or edition, see
the Microsoft Support Lifecycle.

       Product         Platform Article  Download Impact  Severity Supersedence
Windows 10 Version                       Security Defense
1607 for 32-bit                 4540670  Update   in               4537764
Systems                         4540670  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1607 for x64-based              4540670  Update   in               4537764
Systems                         4540670  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1809 for 32-bit                 4538461  Update   in               4532691
Systems                         4538461  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1809 for x64-based              4538461  Update   in               4532691
Systems                         4538461  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1903 for 32-bit                 4540673  Update   in               4532693
Systems                         4540673  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1903 for ARM64-based            4540673  Update   in               4532693
Systems                         4540673  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1903 for x64-based              4540673  Update   in               4532693
Systems                         4540673  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1909 for 32-bit                 4540673  Update   in               4532693
Systems                         4540673  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1909 for ARM64-based            4540673  Update   in               4532693
Systems                         4540673  Security Depth
                                         Update 
                        
                        
                        
Windows 10 Version                       Security Defense
1909 for x64-based              4540673  Update   in               4532693
Systems                         4540673  Security Depth
                                         Update 
                        
                        
                        
                                         Monthly
                                4540688  Rollup 
                                4540688  Monthly  Defense
Windows 7 for 32-bit                     Rollup   in               4537820
Systems Service Pack 1                   Security Depth
                                4541500  Only 
                                4541500  Security
                                         Only
                        
                        
                                         Monthly
                                4540688  Rollup 
Windows 7 for                   4540688  Monthly  Defense
x64-based Systems                        Rollup   in               4537820
Service Pack 1                           Security Depth
                                4541500  Only 
                                4541500  Security
                                         Only
                        
                        
                                         Monthly
                                4541509  Rollup 
                                4541509  Monthly  Defense
Windows 8.1 for 32-bit                   Rollup   in               4537821
systems                                  Security Depth
                                4541505  Only 
                                4541505  Security
                                         Only
                        
                        
                                         Monthly
                                4541509  Rollup 
                                4541509  Monthly  Defense
Windows 8.1 for                          Rollup   in               4537821
x64-based systems                        Security Depth
                                4541505  Only 
                                4541505  Security
                                         Only
                        
                        
                                         Monthly  Defense
Windows RT 8.1                  4541509  Rollup   in               4537821
                                4541509  Monthly  Depth
                                         Rollup 
                        
                        
                        
                                         Monthly
                                4541506  Rollup 
Windows Server 2008             4541506  Monthly  Defense
for 32-bit Systems                       Rollup   in               4537810
Service Pack 2                           Security Depth
                                4541504  Only 
                                4541504  Security
                                         Only
                        
                        
                                         Monthly
                                4541506  Rollup 
Windows Server 2008             4541506  Monthly  Defense
for 32-bit Systems                       Rollup   in               4537810
Service Pack 2 (Server                   Security Depth
Core installation)              4541504  Only 
                                4541504  Security
                                         Only
                        
                        
                                         Monthly
                                4541506  Rollup 
Windows Server 2008             4541506  Monthly  Defense
for Itanium-Based                        Rollup   in               4537810
Systems Service Pack 2                   Security Depth
                                4541504  Only 
                                4541504  Security
                                         Only
                        
                        
                                         Monthly
                                4541506  Rollup 
Windows Server 2008             4541506  Monthly  Defense
for x64-based Systems                    Rollup   in               4537810
Service Pack 2                           Security Depth
                                4541504  Only 
                                4541504  Security
                                         Only
                        
                        
                                         Monthly
                                4541506  Rollup 
Windows Server 2008             4541506  Monthly  Defense
for x64-based Systems                    Rollup   in               4537810
Service Pack 2 (Server                   Security Depth
Core installation)              4541504  Only 
                                4541504  Security
                                         Only
                        
                        
                                         Monthly
                                4540688  Rollup 
Windows Server 2008 R2          4540688  Monthly  Defense
for Itanium-Based                        Rollup   in               4537820
Systems Service Pack 1                   Security Depth
                                4541500  Only 
                                4541500  Security
                                         Only
                        
                        
                                         Monthly
                                4540688  Rollup 
Windows Server 2008 R2          4540688  Monthly  Defense
for x64-based Systems                    Rollup   in               4537820
Service Pack 1                           Security Depth
                                4541500  Only 
                                4541500  Security
                                         Only
                        
                        
                                         Monthly
                                4540688  Rollup 
Windows Server 2008 R2          4540688  Monthly  Defense
for x64-based Systems                    Rollup   in               4537820
Service Pack 1 (Server                   Security Depth
Core installation)              4541500  Only 
                                4541500  Security
                                         Only
                        
                        
                                         Monthly
                                4541510  Rollup 
                                4541510  Monthly  Defense
Windows Server 2012                      Rollup   in               4537814
                                         Security Depth
                                4540694  Only 
                                4540694  Security
                                         Only
                        
                        
                                         Monthly
                                4541510  Rollup 
Windows Server 2012             4541510  Monthly  Defense
(Server Core                             Rollup   in               4537814
installation)                            Security Depth
                                4540694  Only 
                                4540694  Security
                                         Only
                        
                        
                                         Monthly
                                4541509  Rollup 
                                4541509  Monthly  Defense
Windows Server 2012 R2                   Rollup   in               4537821
                                         Security Depth
                                4541505  Only 
                                4541505  Security
                                         Only
                        
                        
                                         Monthly
                                4541509  Rollup 
Windows Server 2012 R2          4541509  Monthly  Defense
(Server Core                             Rollup   in               4537821
installation)                            Security Depth
                                4541505  Only 
                                4541505  Security
                                         Only
                        
                        
                                         Security Defense
Windows Server 2016             4540670  Update   in               4537764
                                4540670  Security Depth
                                         Update 
                        
                        
                        
Windows Server 2016                      Security Defense
(Server Core                    4540670  Update   in               4537764
installation)                   4540670  Security Depth
                                         Update 
                        
                        
                        
                                         Security Defense
Windows Server 2019             4538461  Update   in               4532691
                                4538461  Security Depth
                                         Update 
                        
                        
                        
Windows Server 2019                      Security Defense
(Server Core                    4538461  Update   in               4532691
installation)                   4538461  Security Depth
                                         Update 
                        
                        
                        
Windows Server,                          Security Defense
version 1903 (Server            4540673  Update   in               4532693
Core installation)              4540673  Security Depth
                                         Update 
                        
                        
                        
Windows Server,                          Security Defense
version 1909 (Server            4540673  Update   in               4532693
Core installation)              4540673  Security Depth
                                         Update 
                        
                        
                        

                                  CVSS Score

The following software versions or editions that are affected have been scored
against this vulnerability. Please read the CVSS standards guide to fully
understand how CVSS vulnerabilities are scored, and how to interpret CVSS
scores.

Excel Icon Download
              Product               Platform    Scores     Vector
                                             Base Temporal String Environmental
Windows 10 Version 1607 for 32-bit
Systems Windows 10 Version 1607 for                                
32-bit Systems
Windows 10 Version 1607 for
x64-based Systems Windows 10                                       
Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit
Systems Windows 10 Version 1809 for                                
32-bit Systems
Windows 10 Version 1809 for
x64-based Systems Windows 10                                       
Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit
Systems Windows 10 Version 1903 for                                
32-bit Systems
Windows 10 Version 1903 for
ARM64-based Systems Windows 10                                     
Version 1903 for ARM64-based
Systems
Windows 10 Version 1903 for
x64-based Systems Windows 10                                       
Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit
Systems Windows 10 Version 1909 for                                
32-bit Systems
Windows 10 Version 1909 for
ARM64-based Systems Windows 10                                     
Version 1909 for ARM64-based
Systems
Windows 10 Version 1909 for
x64-based Systems Windows 10                                       
Version 1909 for x64-based Systems
Windows 7 for 32-bit Systems
Service Pack 1 Windows 7 for 32-bit                                
Systems Service Pack 1
Windows 7 for x64-based Systems
Service Pack 1 Windows 7 for                                       
x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems                                     
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems                                  
Windows 8.1 for x64-based systems
Windows RT 8.1 Windows RT 8.1                                      
Windows Server 2008 for 32-bit
Systems Service Pack 2 Windows                                     
Server 2008 for 32-bit Systems
Service Pack 2
Windows Server 2008 for 32-bit
Systems Service Pack 2 (Server Core
installation) Windows Server 2008                                  
for 32-bit Systems Service Pack 2
(Server Core installation)
Windows Server 2008 for
Itanium-Based Systems Service Pack
2 Windows Server 2008 for                                          
Itanium-Based Systems Service Pack
2
Windows Server 2008 for x64-based
Systems Service Pack 2 Windows                                     
Server 2008 for x64-based Systems
Service Pack 2
Windows Server 2008 for x64-based
Systems Service Pack 2 (Server Core
installation) Windows Server 2008                                  
for x64-based Systems Service Pack
2 (Server Core installation)
Windows Server 2008 R2 for
Itanium-Based Systems Service Pack
1 Windows Server 2008 R2 for                                       
Itanium-Based Systems Service Pack
1
Windows Server 2008 R2 for
x64-based Systems Service Pack 1                                   
Windows Server 2008 R2 for
x64-based Systems Service Pack 1
Windows Server 2008 R2 for
x64-based Systems Service Pack 1
(Server Core installation) Windows                                 
Server 2008 R2 for x64-based
Systems Service Pack 1 (Server Core
installation)
Windows Server 2012 Windows Server                                 
2012
Windows Server 2012 (Server Core
installation) Windows Server 2012                                  
(Server Core installation)
Windows Server 2012 R2 Windows                                     
Server 2012 R2
Windows Server 2012 R2 (Server Core
installation) Windows Server 2012                                  
R2 (Server Core installation)
Windows Server 2016 Windows Server                                 
2016
Windows Server 2016 (Server Core
installation) Windows Server 2016                                  
(Server Core installation)
Windows Server 2019 Windows Server                                 
2019
Windows Server 2019 (Server Core
installation) Windows Server 2019                                  
(Server Core installation)
Windows Server, version 1903
(Server Core installation) Windows                                 
Server, version 1903 (Server Core
installation)
Windows Server, version 1909
(Server Core installation) Windows                                 
Server, version 1909 (Server Core
installation)

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

Acknowledgements

Microsoft recognizes the efforts of those in the security community who help us
protect customers through coordinated vulnerability disclosure.

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness for
a particular purpose. In no event shall Microsoft Corporation or its suppliers
be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.

Revisions

Version Date                            Description
        08/  Information published.
1.0     13/
        2019
             Revised Recommended Actions section to provide customers with more
        09/  detailed information about actions to take to make LDAP channel
1.1     09/  binding and LDAP signing on Active Directory Domain Controllers
        2019 more secure.

        12/  In the Recommended Actions section, updated the opening sentence
1.2     17/  to indicate that the Windows update will be available in March
        2019 2020.

             In the Recommended Actions section, added information that details
             what will be included in the March 2020 updates to enable
        02/  hardening LDAP Channel Binding and LDAP Signing. Included
1.3     04/  information about a future monthly update that will LDAP signing
        2020 and channel binding on domain controllers configured with default
             values for those settings. These are informational changes only.

             The following revisions have been made: 1. Clarified the actions
             customers need to take to harden the configurations for LDAP
             channel binding and LDAP signing on Active Directory Domain
        02/  Controllers. 2. In the References section, added a link to
1.4     28/  KB4546509: https://support.microsoft.com/en-us/help/4546509 -
        2020 Frequently asked questions about changes to Lightweight Directory
             Access Protocol. 3. Updated the FAQ section to direct customers to
             KB4546509.

             Microsoft is announcing that the March 10, 2020 security updates
             are available that add options for administrators to harden the
             configurations for LDAP channel binding on Active Directory domain
             controllers. These options are: 1. "Domain controller: LDAP server
        03/  channel binding token requirements" group policy. 2. CBT signing
2.0     10/  events 3039, 3040, and 3041 with event source
        2020 Microsoft-Windows-ActiveDirectory_DomainService in the Directory
             Service event log. Note that these March 10, 2020 updates and
             updates in the foreseeable future will not make changes to LDAP
             signing or LDAP channel binding policies or their registry
             equivalent on new or existing domain controllers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXmhkGmaOgq3Tt24GAQjKRBAAj0tI55DnmHX6aP6gGTjt4KkIy4xET47W
M5ugd5/YjK0LYFD6d6F9WEQ2AdFstV4OlTitgMP2bKRyAEez7fF6x1wILrGUPgLj
5XI4te5TSNAuM87aa5UBHc8e9h9F+VjDQL8Y3tQuhNknZFoHsMFnWL056jJY7bDi
JrNwS+qHS/ETrsCIP2G5JnWKLH4WKX4zuINF7X+n6cFqfdzv04IOCT4hvGbR8Nhz
lh7/pL2QKJ7AZU7lTuakqouLD1ucZQmEaquzcxhwJVJB7taSurFffDvwHV1nrClk
kwBb2IPH42dJd3KDxfisI/GBjj9NBAdXwAjEwvcE9zKDuOpmTRZy4HgPx1WMEBAa
iaUoii0seAvQNWBD8s9abVqGZdtbJc7stUEKAxuZHiG2s1G3luT14Ga10liYKgZX
BkFN6oKUMZK5/il6zS9QmfK/vME2dDVIfWuLxOUezWzVNsTWnAeMBKs2G7lxQJNb
1phI7WDDe62a192l7KUsS+4Gv9cuRFj/mpZ6kcCv/XdU0ZhOUMr/hsYG+wiIi+el
7kgHdQPon8PLfsnYS6BypVbnrEGp+QI+k/06KbC/kr4rbjIpinDomsYN5eLF+Bq1
OUT0xONh5YWvAdEu0e378quD/sqQDGeN8DbDrRVbbO06xEOizCTJuQevqIG+ga9S
uLczHpmRUik=
=giGL
-----END PGP SIGNATURE-----