📄 Description (English)
Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability — Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability allowing an unauthenticated attacker to call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM.
🤖 AI Executive Summary
CVE-2021-36942 is a critical Windows LSA spoofing vulnerability (CVSS 9.0) enabling unauthenticated attackers to coerce domain controllers into NTLM authentication against attacker-controlled servers. This facilitates credential relay attacks and domain compromise. With public exploits available, immediate patching of all Windows domain controllers and servers is essential for Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 00:34
🇸🇦 Saudi Arabia Impact Assessment
Critical impact on Saudi banking sector (SAMA-regulated institutions), government agencies (NCA, ministries), healthcare systems, and energy sector (ARAMCO, utilities). Domain controller compromise enables lateral movement, data exfiltration, and ransomware deployment. Telecom operators (STC, Mobily) managing critical infrastructure are particularly vulnerable. This vulnerability directly threatens Active Directory security across all enterprise environments in Saudi Arabia.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA oversight)
Healthcare Systems
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
Critical Infrastructure
Large Enterprises with Active Directory
🎯 MITRE ATT&CK Techniques
T1187 - Forced Authentication
T1040 - Network Sniffing
T1557 - Man-in-the-Middle
T1111 - Multi-Factor Authentication Interception
T1550 - Use Alternate Authentication Material
T1550.001 - Use Alternate Authentication Material: Application Access Token
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1021 - Remote Services
T1021.006 - Remote Services: Windows Remote Management
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Windows domain controllers and servers in your environment
2. Apply Microsoft security patches KB5004018 (Windows Server 2019/2016) or equivalent for your OS version immediately
3. Implement network segmentation to restrict LSARPC (port 135, 445) access to trusted networks only
4. Enable NTLM signing and sealing via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
5. Deploy Extended Protection for Authentication (EPA) where applicable
6. Monitor for suspicious LSARPC calls and NTLM relay attempts using Windows Event Viewer (Event ID 4624, 4625)
7. Implement LDAP signing requirements to prevent credential relay
8. Review and restrict service account permissions following least privilege principle
9. Enable Windows Defender for Advanced Threat Protection (ATP) monitoring
10. Conduct immediate vulnerability scan of all Windows systems using CVSS 9.0+ filter
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع متحكمات ومخدمات Windows في بيئتك
2. تطبيق تصحيحات الأمان من Microsoft KB5004018 (Windows Server 2019/2016) أو ما يعادلها فورًا
3. تنفيذ تقسيم الشبكة لتقييد وصول LSARPC (المنفذ 135، 445) للشبكات الموثوقة فقط
4. تفعيل توقيع وتشفير NTLM عبر Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
5. نشر Extended Protection for Authentication (EPA) حيث ينطبق
6. مراقبة استدعاءات LSARPC المريبة ومحاولات إعادة توجيه NTLM باستخدام Windows Event Viewer (Event ID 4624, 4625)
7. تنفيذ متطلبات توقيع LDAP لمنع إعادة توجيه بيانات الاعتماد
8. مراجعة وتقييد صلاحيات حسابات الخدمة وفقًا لمبدأ أقل امتياز
9. تفعيل Windows Defender for Advanced Threat Protection (ATP)
10. إجراء فحص فوري للثغرات على جميع أنظمة Windows باستخدام مرشح CVSS 9.0+
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.8.2.1 - User Registration and De-registration
ECC 2024 A.8.3.1 - User Access Rights
ECC 2024 A.9.2.1 - User Endpoint Devices
ECC 2024 A.12.2.1 - Restrictions on Software Installation
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Hardware and Software Inventory
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights Management
SAMA CSF DE.CM-1 - Network Monitoring
SAMA CSF RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.12.2 - Change Management
ISO 27001:2022 A.14.2 - System Development and Acceptance
🟣 PCI DSS v4.0
PCI DSS 1.1 - Firewall Configuration Standards
PCI DSS 2.1 - Default Passwords
PCI DSS 6.2 - Security Patches
PCI DSS 8.1 - User Access Control
PCI DSS 10.2 - Logging and Monitoring
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows