CISA Removes Windows Flaw From Exploited Catalog ListPatching Domain Controller Bug Risks Authentication Failure, Agency Says
The U.S. Cybersecurity and Infrastructure Security Agency has announced that it is temporarily removing a Windows protection defect from its Known Exploited Vulnerability Catalog because of a risk of authentication failures after the recent Microsoft patch update.
"CISA is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures when the May 10, 2022, Microsoft rollup update is applied to domain controllers," the agency says.
The agency says that upon installation of the May 10 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server, Routing and Remote Access Service, Radius, Extensible Authentication Protocol and Protected Extensible Authentication Protocol.
The Known Exploited Vulnerability Catalog requires federal civilian agencies to patch vulnerabilities known to be actively exploited in the wild. Earlier, CISA had said that it establishes a CISA-managed catalog of vulnerabilities that must be addressed within specific time frames.
This includes requirements to remediate within six months for common vulnerabilities and exposures, or CVEs, assigned prior to 2021, and within two weeks for all other vulnerabilities (see: CISA Directs Federal Agencies to Patch Known Vulnerabilities).
"Only when Windows Server is being used as a domain controller will this patch create an issue, not in the majority of cases where it is applied to client Windows devices or non-domain controller Windows Server. Very likely there will soon be a patch that remediates this vulnerability across all Windows instances," says Bud Broomhead, CEO at Viakoo, an enterprise IoT security platform.
Broomhead also says the only surprise is that this doesn't happen more often, since when a vulnerability is known as being currently exploited by threat actors it creates an urgency to provide a security patch.
The vulnerability tracked as CVE-2022-26925 is a Windows LSA spoofing vulnerability, which is a new NTLM relay attack using an LSARPC. In the NTLM relay attack, also known as PetitPotam, threat actors can intercept legitimate authentication requests and use them to gain elevated privileges, even assuming the identity of a domain controller (see: Patch Tuesday: PetitPotam Cornered Again).
PetitPotam is a classic NTLM relay attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.
Raphael John of Bertelsmann Printing Group, who describes himself as a security enthusiast, was credited by Microsoft for reporting CVE-2022-26925. John first confirmed the bug PetitPotam on Twitter.
"The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident. During my pentests in January and March, I saw that PetitPotam worked against the DCs," he tweeted.
The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident ;)— Raphael (@raphajohnsec) May 11, 2022
During my pentests in January and March i saw that PetitPotam worked against the DCs. 1/2
He says, "At the first occurrence I thought that they did not update their DCs, but at the second pentest I knew that the DCs were up to date. After that I analyzed that strange behavior and concluded that MS made a big mistake in one of their updates."
"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it," Microsoft said in its recent Patch Tuesday release.
LSARPC is a protocol, or a set of calls, transmitted with a remote procedure call to a system called the Local Security Authority, or LSA. This is used in Microsoft/Windows systems to perform management tasks on domain security policies from a remote machine.
Microsoft cautions those who use Active Directory Certificate Services, or AD CS, with Certificate Authority Web Enrollment or Certificate Enrollment Web Service and advises admins to read the PetitPotam advisory for information on how to mitigate these types of attacks (see: Microsoft Patch Tuesday: PetitPotam Cornered Again).
"Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged. This issue only affects May 10, 2022 updates installed on servers used as domain controllers," according to the CISA.
The agency also recommends that organizations continue applying updates to client Windows devices and non-domain controller Windows Servers.
Microsoft says that to prevent an NTLM relay attack on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication or signing features, such as SMB signing.
The bug has a CVSS score of 9.8 when this vulnerability is chained with the NTLM relay attacks on AD CS. PetitPotam takes advantage of servers where AD CS is not configured with protections for NTLM relay attacks.
CISA directs admins to Microsoft's document KB5014754, which details "certificate-based authentication changes on Windows domain controllers" for the last patch update concerning CVE-2022-26931 and CVE-2022-26923.
These two vulnerabilities address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center is servicing a certificate-based authentication request.
"Before the May 10, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update," according to Microsoft.
The mitigations outlined in KB5005413 instruct customers on how to protect their AD CS servers from such attacks," Microsoft says.
Microsoft warns that a user is potentially vulnerable to this attack if they are using AD CS with either Certificate Authority Web Enrollment or Certificate Enrollment Web Service.
While it is unusual for CISA to remove a CVE from its Known Exploited Vulnerabilities Catalog, it's not unheard of when there are special circumstances, says Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber. "In this case, deploying the recommended patch could have unintended consequences on some specific configurations. CISA removed the recommendation specifically for systems in that configuration, while retaining it for other systems. As with any case where a patch can't be applied, organizations in the vulnerable configuration should use other mitigations until the problem is fixed," he says.