In the cumulative update released on Tuesday's activity day of this month's patch, Microsoft fixed the windows local security authority (LSA) spoofing vulnerability with tracking number cve-2022-26925. This highly serious vulnerability allows unauthenticated attackers to call a method anonymously and force the domain controller (DC) to authenticate them through NTLM. In the worst case, this can lead to privilege escalation and the attacker takes control of the entire domain.
This vulnerability is important because the U.S. cyber security and Infrastructure Security Agency (CISA) has stipulated that the federal civil administration agency (fceb) should install these updates within three weeks to protect itself from this and other attacks. However, it has now cancelled this requirement because the latest patch Tuesday update will also cause authentication problems when installed on the DC.
The announcement states:
On the client windows Installing the update released on May 10, 2022 on devices and non domain controller windows servers will not cause this problem and is still strongly encouraged. This problem only affects the update of May 10, 2022 installed on the server as a domain controller. Organizations should continue to apply updates to client windows devices and non domain controller windows servers.
In the consultation on this issue, Microsoft said: "after installing the update released on May 10, 2022 on your domain controller, you may see the authentication failure of services such as network policy server (NPS), routing and remote access service (RRAs), radius, extensible authentication protocol (EAP) and protected Extensible Authentication Protocol (PEAP) on the server or client. A problem related to how the domain controller handles the mapping of certificates to machine accounts has been found." 。
Microsoft shared a list of affected platforms
Client:
● Windows 11 Version 21H2
● Windows 10 Version 21H2
● Windows 10 Version 21H1
● Windows 10 Version 20H2
● Windows 10 Version 1909
● Windows 10 Version 1809
● Windows 10 Enterprise LTSC 2019
● Windows 10 Enterprise LTSC 2016
● Windows 10 Version 1607
● Windows 10 Enterprise 2015 LTSB
● Windows 8.1
● Windows 7 SP1
Server:
● Windows Server 2022
● Windows Server Version 20H2
● Windows Server Version 1909
● Windows Server Version 1809
● Windows Server 2019
● Windows Server 2016
● Windows Server 2012 R2
● Windows Server 2012
● Windows Server 2008 R2 SP1
● Windows Server 2008 SP2
These problems are mainly caused by two patches of windows Kerberos and active directory domain services, which are tracked as cve-2022-26931 and cve-2022-26923 respectively. Since it is impossible to choose among the patches you want to install, CISA no longer encourages it administrators not to install the may patch on DC on Tuesday.
At present, Microsoft has provided a solution, including manually mapping certificates.
At the same time, Microsoft also provides a temporary solution:
The preferred mitigation for this problem is to manually map certificates to machine accounts in the active directory. For instructions, see Certificate Mapping。 Note: the description is the same for mapping a certificate to a user or machine account in the active directory.
If the preferred mitigation does not work in your environment, see kb5014754 certificate based authentication changes on Windows domain controllers , learn about other possible mitigation measures in the key section of the schannel registry. Note: in addition to the preferred mitigation measures, any other mitigation measures may reduce or disable safety reinforcement.
It also strongly emphasizes that the application of any other mitigation measures may have a negative impact on your organization's security posture. Since CISA does not encourage fceb to completely install the update of May Patch Tuesday on Windows Server DC, Microsoft may hope to launch a more permanent fix as soon as possible.