The Cybersecurity & Infrastructure Security Agency (CISA) is now advising federal agencies and others to patch a Windows flaw from Microsoft’s May Patch Tuesday.
The bug resides in Windows Local Security Authority (LSA), which “contains a spoofing vulnerability where an attacker can force the domain controller to authenticate to the attacker using NTLM.”
NTLM or NT Lan Manager (NTLM) is an outdated Microsoft authentication protocol for Active Directory implemented in Windows 2000. LSA allows applications to authenticate users and log on to a local system.
CISA temporarily removed CVE-2022-26925 on May 15 from the KEV catalog due to login issues customers experienced after applying the update on Windows servers used as domain controllers, i.e. Windows servers used for user authentication.
In addition to potentially breaking user logins with many federal agencies, it’s also a complicated solution to roll out.
CISA on July 1 listed in separate guidelines for applying the patch for CVE-2022-26925 that contains these fixes for two related bugs addressed in the May Patch Tuesday update: CVE-2022-26923, an elevation of privilege in Active Directory domain services; and CVE-2022-26931, an elevation of privilege vulnerability in Windows Kerberos. (Kerberos is the successor to NTLM for authentication in Active Directory).
But as CISA explains, these updates caused login errors to “many federal agencies” that use Personal Identity Verification (PIV)/Common Access Card (CAC) certificates for authentication. The breach stems from Active Directory, which, after the May 2022 update, is looking for “strong mapping between the certificate and the account”.
To avoid these login problems, CISA now recommends following the steps for setting two registry keys on domain controllers.
The registry key settings allow administrators to determine whether the domain controller is in “Compatibility Mode” or “Full Enforcement Mode”.
Microsoft explains that the reason for stricter checks on certificates in compatibility mode is that before the May 2022 security update, certificate-based authentication would not consider a dollar sign ($) at the end of a machine name, allowing for spoofing attacks .
Applying the May 2022 security update puts devices into compatibility mode. And next year, on May 9, 2023, Microsoft will update all devices to full enforcement mode if they aren’t already in it.
“Once you install the Windows 10 May 2022 updates, devices will be in Compatibility Mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can only be weakly mapped to a user, authentication will take place as expected,” explains Microsoft in a FAQ.
“However, a warning message is logged unless the certificate is older than the user. If the certificate is older than the user and the certificate backdating registry key is not present or the range is out of the backdating compensation, authentication will fail and an error If the certificate backdating registry key is configured, a warning message is logged in the event log if the dates are within the backdating compensation.
“After installing the Windows 10 May 2022 updates, be aware of warning messages that may appear after a month or more. If there are no warning messages, we strongly recommend that you enable full force mode on all domain controllers that use certificate-based authentication. You can use the KDC registry key to enable full enforcement mode.”
But CISA says agencies shouldn’t migrate to strong certificate user allocation just yet, in part because it could conflict with some valid use cases in the federal PKI ecosystem. CISA says it is in talks with Microsoft to find a less disruptive solution.
CISA says Microsoft will push Windows Server devices into “Full Enforcement” mode in May 2023 “will break authentication if authorities haven’t created strong mapping or added SIDs to certificates.”
“CISA and the Interagency Working Group are in active discussions with Microsoft for an improved path forward. not recommend agencies to migrate to a strong mapping,” says CISA.