How to Fix Windows LSA Spoofing Vulnerability, Still Actively Exploited in the Wild

Severity of Microsoft Windows LSA Spoofing Vulnerability

CVE-2022-26925 affects all versions of Windows, including client and server platforms, from Windows 7 and Windows Server 2008 to Windows 11 and Windows 2022.

The bug introduces a Windows LSA spoofing vulnerability, opening the way for unauthenticated attackers to authenticate to domain controllers using Windows NT LAN Manager (NTLM). But to do so, they must first infiltrate the logical network path between the target and the resource requested by the victim to be able to read or modify network messages.
According to Microsoft’s announcement, the vulnerability’s severity increases if it is linked to another vulnerability. In this case, an unauthenticated attacker could invoke the LSARPC interface method and force the domain controller to authenticate using NTLM.

Background of the CVE-2022-26925 Vulnerability

CVE-2022-26925 was a 0-day discovered by Raphael John of Bertelsmann Printing Group in January-March 2022 and was the NTLM relay attack vector. Raphael’s assurance was that the vulnerability is actually a bug known as PetitPotam (CVE-2021-36942), which was patched, almost a year ago in summer 2021 and was actively used in attacks since back then. As Raphael said: “It was no advanced reverse engineering, but a lucky accident. During my pentests in January and March I saw that PetitPotam worked against the DCs.”

But the most interesting part happened next. After the CVE-2022-26925 was discovered, CISA quickly added it to KEVS, also known as the “mandatory patch list,” because federal agencies are required to patch vulnerabilities in this directory within a certain period of time. However, shortly after being informed by Microsoft, CISA said that the May update could cause authentication failures when installed on domain controllers. This includes server or client authentication issues for Network Policy Server (NPS) services, Routing and Remote Access Service (RRAS), Radius, EAP and PEAP authentication protocols.

The problem is related to the way the mapping of PIV/CAC certificates to computer accounts is handled by domain controllers. So CISA removed this bug from the list and only after Microsoft’s June patches on July 1st returned CVE-2022-26925 back in to it but with nuance.

The nuance is related to agencies that use PIV/CAC certificates that are issued before Active Directory account for a user is created. So, for such configuration mitigation not only includes installing June patches but also configuring registry in a certain way.

1. Apply June 2022 updates to all Windows endpoints.
2. On Windows servers handling authentication (Domain Controllers), set the two registry keys:

a. Set the time range that a certificate can predate an account to 10 years.

b. Set the enforcement mode to 1 (Compatibility).

Important Note: Microsoft plans to remove ‘Compatibility Mode’ and move all Windows Server devices to ‘Full Enforcement’ mode in May 2023. This change will break authentication again if you still will have PIV/CAC certificates not strongly mapped to AD accounts or issued before AD accounts creation. In this case, you have to think about adding SIDs to certs or issue certs-only after creating an AD account.

How Action1 Can Help?

Action1 is a centralized cloud solution for remote patch management. With Action1 IT professionals can:

• Automate deployment of Microsoft patches across all managed endpoints
• Modify registry in bulk by using PowerShell scripts
• Configure patch management policies and schedule update deployment
• Receive alerts whenever a vulnerability is detected and a new patch becomes available
• Prove compliance with comprehensive reports on update history and statuses.