The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities known to be exploited and required to be fixed by federal civilian agencies. within a certain period of time.
CISA said it is “temporarily removing” Microsoft’s May 2022 fix for security bug CVE-2022-26925 from its Catalog of Known Exploited Vulnerabilities. He said that after administrators apply Microsoft’s May 10, 2022 cumulative security fixes to Windows servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its list of required patches on Friday.
“Microsoft notified CISA of this issue, which is related to how the domain controller handles the mapping of certificates to machine accounts,” he said.
“After installing the May 10, 2022 cumulative update on domain controllers, organizations may experience server or client authentication failures for services such as Network Policy Server (NPS), Routing Service and Remote Access Protocol (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” explained CISA.
This issue only affects the upgrade on Windows servers used as domain controllers. CISA continues to strongly encourage administrators to apply the May updates from Microsoft on Windows client devices and Windows servers that are not domain controllers.
Microsoft describes CVE-2022-26925 as a local security authority (LSA) spoofing vulnerability. LSA allows applications to authenticate and register users on a local system. Details of the bug have been publicly disclosed and vulnerabilities exist for it, according to Microsoft.
“An unauthenticated attacker could call a method on the LSARPC interface and force the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts on LSARPC and rejects them,” says Microsoft.
The bug would have a severity score of 9.8 when chained with NTLM relay attacks on Active Directory Certificate Services (AD CS), Microsoft adds.
The company noted that the May 10, 2022 update addresses the vulnerability on all servers, but urged administrators to prioritize updating domain controllers.
CISA referred administrators to Microsoft document KB5014754, which details “Certificate-Based Authentication Changes in Windows Domain Controllers” regarding the May 10 updates for CVE-2022-26931 and CVE-2022 -26923. This is an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request, according to Microsoft.
“Prior to the May 10, 2022 security update, certificate-based authentication did not render a dollar sign ($) at the end of a machine name. This allowed emulation (spoofing) related certificates in various ways,” he says Microsoft.