CISA issues a warning to create awareness about not implementing the May 2022 Patch Tuesday Update on windows servers functioning as domain controllers.
Patching the Windows systems to defend against the vulnerabilities sooner has again conflicted with the risks of updating the patches. The incidents are again being spotlighted with Microsoft’s latest May 2022 Patch Tuesday Update. Microsoft, in this update, focused and worked on fixing issues in multiple hotspots, which demanded the administrators to thoroughly test the systems to prevent any threats that may arise from faulty patches.
In the May 2022 Patch Tuesday Update, Microsoft released 75 unique new CVEs, out of which eight were defined as critical. Furthermore, the organization also released three additional CVEs (zero-day threats) to cover additional products, totaling the number of CVEs to 78.
However, the enterprises that had installed the May 2022 Patch Tuesday Updates experienced authentication failures as a result of credential mismatch where the servers are functioning as domain controllers and involve the certificate mapping to machine accounts. This issue might not significantly impact the consumers, but it will affect enterprises tremendously with this particular setup.
The CISA issues a warning not to deploy May 2022 Patch Tuesday Updates.
The U.S. cybersecurity and Infrastructure Security Agency (CISA) issued a notice that it has temporarily pulled out a windows security flaw CVE-2022-26925 from its known exploited vulnerability catalog as a result of authentication failures due to deploying the May 10, 2022 patch Tuesday updates to the domain controllers.
The CISA also warns organizations of the authentication failure on the servers like Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).
Industry veteran Ran Harel, Principal Security Product Manager at Semperis, also sheds some light on the issue by stating, “Recent Active Directory authentication issues related to the May 2022 Patch Tuesday illustrate the complexity involved with securing AD. When installed on Windows servers functioning as domain controllers, the update prompted authentication failures for the NPS, RRA, EAP, and PEAP services. The patch “breaks” certificate-based computer authentication to domain controllers. Although Microsoft is working to repair these issues, in the meantime, the company is recommending workarounds—including manual certificate mapping.”
The severity of CVE-2022-26925
CVE-2022-26925 is an already exploited zero-day vulnerability that gets a crucial rating from Microsoft. The complexity of the vulnerability increases because the threat is linked with New Technology LAN Manager (NTLM) relay attacks or PetitPotam attacks. Cybercriminals can leverage these attacks to infiltrate windows domain controllers and other servers. The criticality of these attacks, if combined, is boosted to a rating of 9.8 severity. Fortunately, it is a difficult task for cybercriminals to successfully carry off a full-blown attack like this, but despite the difficulty, these vulnerabilities are labeled as actively exploited attacks.
Ran Harel also adds, “What does this mean for organizations worried about falling victim to the next PetitPotam? CVE-2022-26925 can leave systems vulnerable to authentication-coercion exploits. Such attacks are chained with NTLM relay on affected services. Mitigating authentication coercion is no trivial task. A few top security researchers, such as James Forshaw and Ben Delpy, have highlighted the fact that RPC filters can be used to restrict access to the affected endpoints. Access can also be restricted to specific groups.”
Microsoft has already informed CISA about the authentication issues about how the domain controller manages certificate mapping to the machine accounts. The May 2022 Patch Tuesday Updates only trigger issues on windows systems functioning as domain controllers. Microsoft recommends IT administrators deploy the updates on window servers functioning as non-domain controllers and client windows systems.