The combination of Domain Name System, Active Directory and the Dynamic Host Configuration Protocol is a potential cybersecurity threat, Akamai Technologies Inc. security researcher Ori David warned in a blog post today.

The trouble has to do with the way Microsoft Corp. has assembled DHCP DNS Dynamic Updates. DHCP is a very useful protocol: It automatically sets up TCP/UIP addresses across a network, ensuring that no two devices will have the same address. The dynamic update feature allows a DHCP server to create or modify DNS records for any of its connected clients.

The key words in that sentence – and the essence of the threat – are “modify” and “any” because they give all sorts of power to a potential attacker. This is because, by design and not because of some bug or other mistake by Microsoft, these dynamic updates happen without any further authentication by the client.

“With DHCP DNS Dynamic Updates we get the best of both worlds — the attack works on victims outside the LAN, and doesn’t require any authentication,” David wrote. “Akamai researchers were also able to overwrite existing DNS records, and thus be able to send network traffic to their own servers.”

This may seem like a pretty obscure problem, but it isn’t. The number of potentially affected organizations can be significant given the popularity of Microsoft DHCP services. David estimates it’s running in 40% of all of the networks Akamai monitors, many of which are found in large corporate data centers.

The post goes into almost excruciating detail about how to construct the exploit, and provides plenty of information on how to prevent it from happening, such as disabling DHCP DNS dynamic updates and avoiding use of DNS update proxy groups. Part of the issue is that Akamai has reported their findings to Microsoft, but it doesn’t plan to fix the problem.

One issue is supporting ancient Windows NTv4.0 clients. As David noted, “if you have anything of that vintage running on your network, you’ve got bigger problems.” Akamai links to a custom PowerShell tool that can be used to check for potential risks with DNS misconfigurations.

“The impact of the attacks that we highlighted can be very significant — the ability to overwrite DNS records without any authentication enables attackers to gain a machine-in-the-middle position on hosts in the domain,” David added. “In most cases, the ability to intercept communication destined for the DHCP server could be abused to intercept credentials and relay them or capture sensitive traffic of other services that might be installed on the server. This could easily expose sensitive information and could allow attackers to breach AD domains and escalate privileges.”

Image: Pixabay, Akamai