CISA warns not to install May Windows updates on domain controllers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has eradicated a Home windows safety flaw from its catalog of identified exploited vulnerabilities owing to Active Listing (Advert) authentication challenges induced by the Might 2022 updates that patch it.

This protection bug is an actively exploited Windows LSA spoofing zero-day tracked as CVE-2022-26925, confirmed as a new PetitPotam Home windows NTLM Relay assault vector.

Unauthenticated attackers abuse CVE-2022-26925 to power domain controllers to authenticate them remotely by means of the Home windows NT LAN Manager (NTLM) security protocol and, possible, obtain command around the total Home windows domain.

May possibly 2022 security updates and Advert auth difficulties

Microsoft patched it alongside one another with 74 other safety flaws (two of them also zero-days) as element of the stability patches issued on the May 2022 Patch Tuesday.

Having said that, patches for two elevations of privilege vulnerabilities in Windows Kerberos and Energetic Listing Area Expert services (tracked as CVE-2022-26931 and CVE-2022-26923) will also cause service authentication problems when deployed on Windows Server area controllers.

Prior to getting taken off from its Identified Exploited Vulnerability Catalog, all Federal Civilian Govt Department Organizations (FCEB) agencies were necessary to utilize the security updates inside of 3 months (right up until June 1, 2022), in accordance to the BOD 22-01 binding operational directive issued in November 2021.

Since Microsoft no longer gives separate installers for each security difficulty it addresses for the duration of Patch Tuesday, setting up this month’s stability updates will also set off the Advertisement auth concerns considering that admins cannot pick to put in only 1 of the protection updates (i.e., the just one to address the new PetitPotam attack vector).

As CISA famous, “set up of updates unveiled Could 10, 2022, on consumer Windows products and non-domain controller Home windows Servers will not result in this situation and is continue to strongly inspired.”

“This challenge only affects May 10, 2022 updates set up on servers applied as area controllers. Corporations should really continue on to utilize updates to client Home windows gadgets and non-domain controller Windows Servers,” the cybersecurity agency added.

Workaround out there for auth difficulties

Right up until Microsoft troubles an formal update to tackle the Ad auth problems induced by installing this month’s safety updates, the enterprise recommends manually mapping certificates to a machine account in Lively Listing.

“If the preferred mitigation will not get the job done in your natural environment, be sure to see ‘KB5014754—Certificate-based mostly authentication improvements on Home windows area controllers’ for other possible mitigations in the SChannel registry key section,” the company stated.

Any other mitigation besides the favored mitigations could lower or disable stability hardening.”

Having said that, Home windows admins have shared with BleepingComputer other strategies to restore authentication for people impacted by this known problem.

A single of them says that the only way they could get some to log in immediately after setting up the Could 2022 Windows update was to disable the StrongCertificateBindingEnforcement vital by environment it to .

If not out there in the registry on your techniques, you can build it from scratch making use of a REG_DWORD Data Variety and established it to to disable the solid certification mapping look at (even while not advisable by Microsoft, this is the only way to allow for all customers to log in in some environments).