Action1 5 Blog 5 How to Fix Windows LSA Spoofing Vulnerability, Still Actively Exploited in the Wild

How to Fix Windows LSA Spoofing Vulnerability, Still Actively Exploited in the Wild

July 8, 2022

By Peter Barnett

On the 1st of July 1 CISA has added previously removed vulnerability to its Known Exploited Vulnerabilities Catalog (KEVS), based on evidence of active exploitation.
This vulnerability is CVE-2022-26925 – Microsoft Windows LSA Spoofing Vulnerability that was patched by Microsoft in May Patch Tuesday. It has High score 8.1 according to Microsoft, 7.4 CVSS and Medium score 5.9 according to NIST, and remains unpatched in many organizations, exposing them to significant risk. In this blogpost, we’ll look into the background of CVE-2022-26925, the threat it poses, why patching it might be problematic for some organizations, and share recommendations on how to overcome these obstacles and mitigate your risks.

Severity of Microsoft Windows LSA Spoofing Vulnerability

CVE-2022-26925 affects all versions of Windows, including client and server platforms, from Windows 7 and Windows Server 2008 to Windows 11 and Windows 2022.

The bug introduces a Windows LSA spoofing vulnerability, opening the way for unauthenticated attackers to authenticate to domain controllers using Windows NT LAN Manager (NTLM). But to do so, they must first infiltrate the logical network path between the target and the resource requested by the victim to be able to read or modify network messages.
According to Microsoft’s announcement, the vulnerability’s severity increases if it is linked to another vulnerability. In this case, an unauthenticated attacker could invoke the LSARPC interface method and force the domain controller to authenticate using NTLM.

Background of the CVE-2022-26925 Vulnerability

CVE-2022-26925 was a 0-day discovered by Raphael John of Bertelsmann Printing Group in January-March 2022 and was the NTLM relay attack vector. Raphael’s assurance was that the vulnerability is actually a bug known as PetitPotam (CVE-2021-36942), which was patched, almost a year ago in summer 2021 and was actively used in attacks since back then. As Raphael said: “It was no advanced reverse engineering, but a lucky accident. During my pentests in January and March I saw that PetitPotam worked against the DCs.”

But the most interesting part happened next. After the CVE-2022-26925 was discovered, CISA quickly added it to KEVS, also known as the “mandatory patch list,” because federal agencies are required to patch vulnerabilities in this directory within a certain period of time. However, shortly after being informed by Microsoft, CISA said that the May update could cause authentication failures when installed on domain controllers. This includes server or client authentication issues for Network Policy Server (NPS) services, Routing and Remote Access Service (RRAS), Radius, EAP and PEAP authentication protocols.

The problem is related to the way the mapping of PIV/CAC certificates to computer accounts is handled by domain controllers. So CISA removed this bug from the list and only after Microsoft’s June patches on July 1st returned CVE-2022-26925 back in to it but with nuance.

The nuance is related to agencies that use PIV/CAC certificates that are issued before Active Directory account for a user is created. So, for such configuration mitigation not only includes installing June patches but also configuring registry in a certain way.

  1. Apply June 2022 updates to all Windows endpoints.
  2. On Windows servers handling authentication (Domain Controllers), set the two registry keys:

a. Set the time range that a certificate can predate an account to 10 years.

Registry Subkey
Value
Data Type
Data
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc
CertificateBackdatingCompensation
REG_DWORD
0x12CC0300

b. Set the enforcement mode to 1 (Compatibility).

Registry Subkey
Value
Data Type
Data
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc
StrongCertificateBindingEnforcement
REG_DWORD
1

Important Note: Microsoft plans to remove ‘Compatibility Mode’ and move all Windows Server devices to ‘Full Enforcement’ mode in May 2023. This change will break authentication again if you still will have PIV/CAC certificates not strongly mapped to AD accounts or issued before AD accounts creation. In this case, you have to think about adding SIDs to certs or issue certs-only after creating an AD account.

How Action1 Can Help?

Action1 RMM is a centralized cloud solution for remote patch management. With Action1 RMM IT professionals can:

Get started today and use Action1 RMM on 100 endpoints free of charge with no functionality limitations.

See What You Can Do with Action1 RMM

 

Join our weekly LIVE webinar “Patching and remote management” to learn more

about Action1 RMM features and use cases for your IT needs.

 

spiceworks logo
getapp logo review
software advice review
trustradius
g2 review
spiceworks logo

Related Posts