Microsoft patched a Windows Local Security Authority (LSA) spoofing vulnerability being tracked under CVE-2022-26925 with its latest Patch Tuesday updates. The high severity flaw enabled unauthenticated attackers to call a method anonymously and force the Domain Controller (DC) to authenticate them via NTLM. In the worst case, this could lead to elevation of privilege and an attacker taking control of your entire domain.
Detailing this vulnerability is important because the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had mandated that Federal Civilian Executive Branch Agencies (FCEB) should install these updates within three weeks to protect themselves against this attack surface and others. However, it has now removed this requirement because the latest Patch Tuesday updates also causes authentication problems when installed on DCs - which we talked about previously.
These issues are primarily caused by two patches for Windows Kerberos and Active Directory Domain Services, tracked as CVE-2022-26931 and CVE-2022-26923, respectively. And since it is not possible to pick and choose between which patches you want to install, CISA is no longer encouraging IT admins from installing May"s Patch Tuesday on DCs. A note on the announcement reads:
Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged. This issue only affects May 10, 2022 updates installed on servers used as domain controllers. Organizations should continue to apply updates to client Windows devices and non-domain controller Windows Servers.
For now, Microsoft has provided a workaround that involves manually mapping certificates. It has also strongly emphasized that applying any other mitigations may affect your organization"s security posture negatively.
Given that CISA has discouraged the FCEB from installing the May Patch Tuesday update on Windows Server DCs entirely, Microsoft will likely want to push out a more permanent fix as soon as possible.
Source: CISA via BleepingComputer