Register now for better personalized quote!

CISA 'temporarily' removes Windows vulnerability from its must-patch list

May, 16, 2022 Hi-network.com

The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities that are known to be exploited, and which federal civilian agencies are required to patch within a certain timeframe.  

CISA said it is "temporarily removing" Microsoft's May 2022 fix for the security bug CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It said after admins apply Microsoft's May 10, 2022 rollup security fixes to Windows Servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its must-patch list on Friday. 

"Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller," it said.

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

"After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)," CISA explained. 

SEE: Just in time? Bosses are finally waking up to the cybersecurity threat

This issue only affects the update on Windows Servers used as domain controllers. CISA is still strongly encouraging admins to apply Microsoft's May updates on client Windows devices and non-domain controller Windows Servers.  

Microsoft describes CVE-2022-26925 as a Local Security Authority (LSA) Spoofing vulnerability. LSA allows applications to authenticate and log users on to a local system. Details of the bug have been publicly disclosed and exploits exist for it, according to Microsoft.  

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it," Microsoft says. 

The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft adds. 

The company noted the May 10, 2022 update addresses the vulnerability on all servers but urged admins to prioritize the update of domain controllers.

CISA referred admins to Microsoft's document KB5014754, which details "certificate-based authentication changes on Windows domain controllers" concerning the May 10 updates for CVE-2022-26931 and CVE-2022-26923. These were an elevation of privilege vulnerability that can happen when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request, according to Microsoft. 

"Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways," Microsoft says. 

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.