By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

May 2022 Windows Patches Could Cause Auth Issues On Domain Controllers

MAY 19, 2022 16:36 GMT

Proceed with caution before patching Domain Controllers in your environment with Microsoft’s May 10 updates.

There are reports of authentication issues after applying the most recent Windows patches to Domain Controllers (DCs) in Microsoft Active Directory environments. At this point, Microsoft still highly recommends applying these patches against Windows machines that are not acting as DCs.

Details

After applying Microsoft’s May 10th updates on a DC, authentication failures are possible on either the client or server for many services. This appears to be a result of changes to the way certificate-based auth occurs in AD to address CVE-2022-26931 and CVE-2022-26923.

CISA provides the following non-exhaustive list of impacted services in their advisory:  

  • Network Policy Server (NPS)
  • Routing and Remote access Service (RRAS)
  • Radius, Extensible Authentication Protocol (EAP)
  • Protected Extensible Authentication Protocol (PEAP) 

As a result, CISA removed CVE-2022-26925 from their catalog of Known and Exploited Vulnerabilities. This is despite CVE-2022-26925 being a critical PetitPotam NTLM Relay attack that could allow for an unauthenticated attacker to compromise the entire AD Domain. There are reports this vulnerability is under active exploit in the wild.

Mitigation

If the patches have not been applied against DCs in your environment:

  • Weigh the risks of critical service interruption against exposure to these critical vulnerabilities with management.
  • Depending on circumstances, waiting for Microsoft to develop an out of band patch may be an acceptable risk.
  • This will leave your DC susceptible to all vulnerabilities patched in May.

If the patches have been applied to your DCs:

  • Microsoft provides steps for administrators to manually map certificates to machine accounts in AD.
  • See Microsoft KB below with advice to troubleshoot DC authentication issues resulting from May 10th patches being applied to a DC.
  • Apply all patches against non-DCs (Windows Servers and Endpoints) within the environments. Currently, there is no known issue except when these patches are applied to DCs. 

Resources

  1. CISA Advisory Warning of Auth Issues
    https://www.cisa.gov/uscert/ncas/current-activity/2022/05/13/cisa-temporarily-removes-cve-2022-26925-known-exploited
  2. Microsoft KB Article Discussing Troubleshooting Steps
    https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
  3. BleepingComputer Article about issue
    https://www.bleepingcomputer.com/news/security/cisa-warns-not-to-install-may-windows-updates-on-domain-controllers/
Previous Post

CISA Advises Urgent Priority For Patching of New VMware Vulnerabilities

Next Post

Weekly Top Ten Cybersecurity Stories – 5.20.2022

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.