The script below will check if your Azure AD Connect is running a version affected by the vulnerability described in CVE-2021-36949. Affected versions are 1.6.4.0 and 2.0.3.0.
#Disclaimer: This script is provided as-is with no warranties of any kind
Write-Host "Checking if your Azure AD Connect version is affected by the vulnerability described in CVE-2021-36949"
Try
{
$params = ((Get-ADSyncGlobalSettings).Parameters | select Name,Value)
foreach($p in $params)
{
if($p.name -eq 'Microsoft.Synchronize.ServerConfigurationVersion')
{
Write-Host 'Your version is' $p.value
if($p.Value -eq '1.6.4.0' -or $p.Value -eq '2.0.3.0')
{
Write-Host 'You are running a version that is vulnerable - update your Azure AD Connect installation' -BackgroundColor DarkRed -ForegroundColor White
}
else
{
Write-Host 'You are running a version that is not affected' -BackgroundColor DarkGreen -ForegroundColor White
}
break
}
}
}
Catch
{
Write-Host "Unable to check Azure AD Connect version - make sure you are running this script on the server where AAD Connect is installed."
}
Try
{
if(Get-ADSyncAutoUpgrade)
{
Write-Host "AutoUpgrade is enabled."
}
else
{
Write-Host "AutoUpgrade is not enabled."
}
}
Catch
{
Write-Host "Unable to check if Azure AD Connect AutoUpgrade is enabled."
}
If you look at the output, you see that the script also checks if the auto-upgrade feature is enabled. By default, it is but as explained in the version history, only some releases will be deployed by auto-upgrade. The last one that is marked as auto-upgrade release is 1.4.25.0 from 28.09.2019, so Microsoft obviously rarely makes use of this function. Therefore, see the description of the manual upgrade process to make sure your AAD Connect is up-to-date.
Links:
Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949
Azure AD Connect: Version release history
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
Azure AD Connect: Upgrade from a previous version to the latest
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
Two new Azure AD Connect versions were released to prevent MitM attacks towards Domain Controllers (CVE-2021-36949)