The Cybersecurity & Infrastructure Agency (CISA) is currently advising federal and other agencies to patch a Windows vulnerability from Microsoft’s May Patch.
CISA has re-added the Windows vulnerability CVE-2022-26925 to it List of Known Exploited Vulnerabilities (KEV) and asked federal agencies to patch it by July 22.
The bug resides in the Windows Local Security Authority (LSA), which “contains a spoofing vulnerability where an attacker could force a domain controller to authenticate to an attacker using NTLM.”
NTLM or NT Lan Manager (NTLM) is a legacy Microsoft authentication protocol for Active Directory that was implemented in Windows 2000. LSA allows applications to authenticate and log users on to the local system.
CISA on May 15 temporarily removed CVE-2022-26925 from the KEV catalog due to the logon issues customers experienced after applying the update on the Windows Server used as the domain controller, i.e. the Windows server used for user authentication.
Besides potentially breaking credentials for users at many federal agencies, this is also a complex fix to implement.
CISA on July 1 noted in separate instructions to apply the patch to CVE-2022-26925 containing fixes for two related bugs addressed in the Tuesday May Patch update: CVE-2022-26923, Active Directory domain services enhanced privilege vulnerability; and CVE-2022-26931, a Windows Kerberos elevated privilege vulnerability. (Kerberos is the successor to NTLM for authentication in Active Directory).
But as CISA explains, these updates caused login failures at “many federal agencies” that used Personal Identity Verification (PIV) / Common Access Card (CAC) certificates for authentication. The problem stems from Active Directory, after the May 2022 update, looking for “strong mapping between certificates and accounts”.
To avoid these login problems, CISA now suggestions Follow its steps to set up two registry keys on the domain controller.
Registry key settings allow administrators to control whether domain controllers are in “Compatibility Mode” or “Full Execution Mode”.
Microsoft explains that the reason for closer inspection of certificates in Compatibility Mode is that prior to the May 2022 security update, certificate-based authentication will not take into account the dollar sign ($) at the end of the name. machine, allowing spoofing attacks.
The application of the May 2022 security update will put devices in Compatibility Mode. And next year, on May 9, 2023, Microsoft will update all devices to Full Execution Mode if they are not already there.
“Once you’ve installed the Windows 10 May 2022 update, the devices will be in Compatibility mode. If the certificate can be strongly mapped to the user, the authentication will happen as expected. If certificate can only be weakly mapped to the user, authentication happens as expected,” Microsoft explains in an FAQ.
“However, a warning message will be logged unless the certificate is older than the user. If the certificate is older than the user and the Certificate Backdating registry key is not present or the range is outside the fallback offset, validate will fail and an error message will be logged.If the Backdating Certificate registry key is configured, it will log a warning message in the event log if the date is in the backdating offset.
“After you install the Windows 10 May 2022 update, watch out for any warning messages that may appear after a month or more. If there are no warning messages, we strongly recommend that you do. enable Full Execution mode on all domain controllers that use authentication certificates. You can use the KDC registry key to enable Full Enforced mode.”
But CISA says that authorities should not yet move to robust certificate user mapping, in part because it could conflict with some valid use cases in the Federal PKI ecosystem. CISA said it is in discussions with Microsoft to find a solution that is less disruptive.
CISA says that Microsoft’s push to ‘Full Enforced’ Windows Server devices in May 2023 “will break authentication if authorities don’t create strong mappings or add SIDs to certificates.”
“CISA and the interdisciplinary working group are in active discussions with Microsoft to develop a roadmap for improvement. At this point, CISA Not CISA recommends that agencies pursue a transition to a robust map,” said CISA.
