Bindpocalypse 2022: An update to CVE-2021-42287

Vulnerability details:

In the Fall of 2021, Microsoft identified a security issue present in Active Directory Domain Services (ADDS), known as CVE-2021-42287. This vulnerability may allow potential attackers to impersonate domain controllers. The issue is a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate, or PAC.

While Microsoft provided additional details regarding the issue, as well as, remediation guidance on their support website, administrators immediately discovered a subsequent issue stemming from taking corrective action: remediated servers no longer allowed macOS to bind itself to Active Directory.

What the initial fix broke instead:

Microsoft updated the information on CVE-2021-42287 on March 22, 2022, with details of a new error when binding third-party devices to Active Directory. From the section “Known Issues”:

“After installing Windows updates released November 9, 2021, or later on domain controllers (DCs), some customers might see the new audit Event ID 37 logged after certain password setting or change operations such as … Change the password for third-party, domain-joined devices.”

While this did not specifically call out macOS devices, Apple administrators on Jamf Nation found that the patch, when fully enforced, would break binding to Active Directory.

What is “enforcement mode”?

To encourage testing of the patch in customer environments, Microsoft created a registry key (similar to Apple's use of a preference key) to set levels of logging when enabling the patch. By default, this registry key was not present, requiring an administrator to purposefully add the key to test the software. Level 1 was logging only; level 2 enabled the patch fully. When level 2 enforcement was enabled, binding macOS devices broke. Originally, Microsoft was to enforce this patch on July 12, 2022, enabling it on all servers. This has since been moved to October 11, 2022, to enable administrators to test and report issues.

Administrators who are still binding their Apple devices to on-premises Active Directory (AD) are highly encouraged to pay close attention to release notes for Windows Server and stay up to date on Jamf Nation, especially when release notes do not specifically call out issues that may affect their Apple environments.

Fixing the problem:

Patch, test, evaluate and then document.

Microsoft issued an updated patch on April 12, 2022, which includes details on how to update Windows Server to the latest version. At this time, a client patch for macOS is not required, but mixed environments of Windows and macOS devices will want to watch the release channels for both Windows and Apple in case later patches are distributed. Windows 11 has been patched in the beta and preview release channel to handle this “error 37” issue.

Second, Apple’s guidance from the World Wide Developer Conference (WWDC) sessions for the last three years has been to avoid binding devices to Active Directory, except in very limited situations, when managing enterprise deployments:

• Shared device environments where machines may have multiple users and will never leave the on-premises network
• Enforced requirements of PIV/CAC SmartCard for device access and certificate validation

In all other circumstances, administrators are highly encouraged to look at alternatives to binding, like using MDM to manage devices and utilizing tools like the Kerberos SSO Extensions for user management.

A future without binding:

This is not the first time that binding macOS devices to Active Directory have been a problem. Either binding has broken entirely (the initial release of OS X Lion in 2011, for example) or simply caused administrators headaches when devices stop talking to AD, breaking user Keychain, FileVault password sync and generally preventing end-users from authenticating to their devices.

Tools like Jamf Connect, Apple’s Kerberos SSO Extension for Enterprise, NoMAD and were created specifically to prevent this problem from occurring.

At the same time, the pivot toward remote and hybrid work environments is clear, with many organizations migrating to cloud-based solutions to manage their device fleets, applications and access and identity services. Additionally, in moving organizational resources and infrastructure to the cloud, the functionality offered by binding to a domain controller becomes increasingly less necessary.

Jamf Connect lets Apple computers running macOS provision user accounts with cloud identity credentials, secure account access with centralized administrative rights and keeps credentials in sync — onsite or off — without a bind to AD.

When working remotely, users can log in to their Mac with their institutional credentials — the same familiar username and password they would use on-premises. IT administrators decide who gets local account administrator privileges with the power of the Identity Provider’s (IdP) cloud-based directory service. And help desks get fewer calls regarding forgotten passwords due to Single Sign-On (SSO) requiring usage of just one password for all managed devices and services.

If working at the office, Jamf Connect uses the same credentials to obtain Kerberos certificates without a bind to Active Directory. These Kerberos tickets then allow seamless, secure access to shared resources onsite.

Limitations:

Managed Users or MDM-Enabled Users

Eliminating binding altogether requires planning. Administrators should consider that all users who authenticate to a Mac with an AD account have access to user channel configuration profiles. In the absence of binding, only the first local account created during automated device enrollment, or the user who enrolled the device in MDM in a user-initiated enrollment process, will be able to take advantage of user-level configuration profiles.

To identify which profiles are scoped to the User Level, look to your MDM solution for a complete listing of the Configuration Profiles applied to your organization’s fleet.

Next, evaluate how these configuration profiles are used within your fleet. If a device is assigned as a 1:1, there should be little concern if a profile is applied at the computer level. To put it into perspective, if you’re the only person with keys to your car, does it really make a difference if your driver’s license is kept in your car or your wallet? Not really, so long as you meet the criteria of having one.

Some Cisco network security products track individual users on the network with user-level certificate-based access. Administrators should evaluate the need for this level of tracking or consider moving to modern cloud-based network security products, like Jamf Private Access.

802.1x RADIUS Networks

With Jamf Connect, the login screen requires network connectivity to authenticate against the cloud-based IdP. User-based 802.1x RADIUS access — either with a username and password or a certificate, is not possible in this scenario.

The login screen is owned by the root user. For security, root has no storage, no macOS Keychain to securely store credentials or certificates, and thus cannot use user-level credentials.

A managed device should use a managed certificate for access to managed networks. In this scenario, admins can apply computer-level configuration profiles with machine-based SCEP certificate access to RADIUS networks. This permits an added layer of security, assuring a device can always be accessible by administrators and MDM commands, even when a user is not currently logged in.