An issue has been discovered by security researchers at Akamai that could allow attackers to spoof DNS records, compromise Active Directory, and steal stored secrets. The attacks are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers and do not require any credentials. Akamai reported the issues to Microsoft, who reportedly has no plans to fix the issue.
The good news is that Akamai has not seen a server under this type of attack yet. However, 40% of the networks monitored by Akamai are running Microsoft DHCP in the vulnerable configuration, meaning a large number of organizations are likely vulnerable. Akamai has provided a tool for sysadmins to detect vulnerable configurations and has promised to publish code that implements these attacks called DDSpoof in the future.
The research builds on earlier work by NETSPI’s Kevin Roberton, detailing ways to exploit flaws in DNS zones. The issue revolves around the DHCP DNS Dynamic Updates feature, which does not require authentication by the DHCP client and is enabled by default on Microsoft DHCP servers. This allows unauthenticated attackers to compromise AD domains without any credentials.
Akamai also identified a potential bug in the DNSUpdateProxy group, which allows authenticated users to create DNS records with vulnerable ACLs. They recommend disabling DHCP DNS Dynamic Updates and avoiding DNSUpdateProxy altogether or using the same DNS credentials across all DHCP servers.