You are here

U-031: Microsoft Active Directory CRL Validation Flaw Lets Remote Users Bypass Authentication

November 9, 2011 - 8:30am

Addthis

PROBLEM:

Microsoft Active Directory CRL Validation Flaw Lets Remote Users Bypass Authentication.

PLATFORM:

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2 Active Directory
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1

ABSTRACT:

A remote user can bypass authentication on the target system in certain cases.

reference LINKS:

Microsoft Security Bulletin MS11-086 - Important
SecurityTracker Alert ID: 1026294
CVE-2011-2014

IMPACT ASSESSMENT:

High

Discussion:

A vulnerability was reported in Microsoft Active Directory. A remote user can bypass authentication on the target system in certain cases. The software does not properly validate certificates against the certificate revocation list (CRL). A remote user with access to a previously revoked certificate can authenticate to the associated Active Directory domain and gain access to network resources or execute arbitrary code with the privileges of the certificate's user. Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Service (AD LDS) are also affected.

Impact:

A remote user can bypass authentication on the target system in certain cases.

Solution: 

The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.

Addthis