AD Starter Scan - Dangerous Trust Relationship

medium Nessus Plugin ID 150486

Synopsis

A dangerous configuration on an outbound trust relationship is configured.

Description

No security mechanism has been activated on a trust relationship, allowing lateral movement across AD domains. Two attack scenarios are checked in this plugin:

- SID history injection (by checking the SID filter quarantining configuration)
- Exploitability of the 'printer bug' (by checking if selective authentication or TGT delegation is correctly configured)

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

Both SID filter quarantining (set the option on the trust) and protections against the 'printer bug' should be applied.

Two protections can be used against the 'printer bug': disabling the possibility of doing a TGT delegation or configuring selective authentication on the trust.

See Also

http://www.nessus.org/u?8ee834c9

http://www.nessus.org/u?41accc7a

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: Medium

ID: 150486

File Name: adsi_trust_unsafe.nbin

Version: 1.111

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 11/22/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 6.6

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: ldap_enum_trusteddomain/available