Check The DHCP Settings On Your Microsoft Active Directories
No Detections In The Wild, Yet …
Sysadmins who have left their DHCP settings for Active Directories with default settings, which seems to be about 40% of them, are vulnerable to a rather nasty DHCP DNS spoof attack. The researchers at Akamai who discovered this flaw were able to leverage it without needing any credentials whatsoever, a rather worrying development. The report does not contain the technical details on how to leverage the exploit, however it will likely be released soon as Microsoft’s response to Akamai was dismissive.
In theory it leverages the process by which a device that is given an IP address by the DHCP server can then contact the DNS server and update it’s own DNS record using DNS Dynamic Updates. This happens without supplying credentials, but it could be used to authenticate the machine which could then modify or overwrite other DNS entries inside your Active Directory Integrated DNS. That can be used to leverage some other known exploits, which previously needed proper authentication to be used.