Back in November, on the second Tuesday of the month, Microsoft released its Patch Tuesday update. The one for servers (KB5019081) addressed a Windows Kerberos elevation of privilege vulnerability that allowed threat actors to alter Privilege Attribute Certificate (PAC) signatures (tracked under ID "CVE-2022-37967"). Microsoft recommended deploying the update to all Windows devices including domain controllers.
In order to help with the deployment, Microsoft published guidance. The firm summarized the meat of the matter as follows:
The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.
To help secure your environment, install this Windows update to all devices, including Windows domain controllers.
At the end of last month, the company issued a reminder regarding the third deployment phase. While it was supposed to be out with this month"s Patch Tuesday, Microsoft has now pushed it back by a couple of months to June. The update on the Windows Health dashboard message center says:
Security hardening changes needed on domain controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase, as outlined in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 on June 13, 2023. Previous announcements had listed this change as taking place in April, however, that date has changed.
The June Patch Tuesday will make the following hardening change to Kerberos protocol:
The Windows updates released on or after June 13, 2023 will do the following:
- Remove the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.
You may find additional details on the support article here (KB5020805).