MAY 19, 2022 16:36 GMT
Proceed with caution before patching Domain Controllers in your environment with Microsoft’s May 10 updates.
There are reports of authentication issues after applying the most recent Windows patches to Domain Controllers (DCs) in Microsoft Active Directory environments. At this point, Microsoft still highly recommends applying these patches against Windows machines that are not acting as DCs.
Details
After applying Microsoft’s May 10th updates on a DC, authentication failures are possible on either the client or server for many services. This appears to be a result of changes to the way certificate-based auth occurs in AD to address CVE-2022-26931 and CVE-2022-26923.
CISA provides the following non-exhaustive list of impacted services in their advisory:
- Network Policy Server (NPS)
- Routing and Remote access Service (RRAS)
- Radius, Extensible Authentication Protocol (EAP)
- Protected Extensible Authentication Protocol (PEAP)
As a result, CISA removed CVE-2022-26925 from their catalog of Known and Exploited Vulnerabilities. This is despite CVE-2022-26925 being a critical PetitPotam NTLM Relay attack that could allow for an unauthenticated attacker to compromise the entire AD Domain. There are reports this vulnerability is under active exploit in the wild.
Mitigation
If the patches have not been applied against DCs in your environment:
- Weigh the risks of critical service interruption against exposure to these critical vulnerabilities with management.
- Depending on circumstances, waiting for Microsoft to develop an out of band patch may be an acceptable risk.
- This will leave your DC susceptible to all vulnerabilities patched in May.
If the patches have been applied to your DCs:
- Microsoft provides steps for administrators to manually map certificates to machine accounts in AD.
- See Microsoft KB below with advice to troubleshoot DC authentication issues resulting from May 10th patches being applied to a DC.
- Apply all patches against non-DCs (Windows Servers and Endpoints) within the environments. Currently, there is no known issue except when these patches are applied to DCs.
Resources
- CISA Advisory Warning of Auth Issues
https://www.cisa.gov/uscert/ncas/current-activity/2022/05/13/cisa-temporarily-removes-cve-2022-26925-known-exploited - Microsoft KB Article Discussing Troubleshooting Steps
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 - BleepingComputer Article about issue
https://www.bleepingcomputer.com/news/security/cisa-warns-not-to-install-may-windows-updates-on-domain-controllers/