The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities that are known to be exploited, and which federal civilian agencies are required to patch within a certain timeframe.
CISA said it is “temporarily removing” Microsoft’s May 2022 fix for the security bug CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It said after admins apply Microsoft’s May 10, 2022 rollup security fixes to Windows Servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its must-patch list on Friday.
“Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller,” it said.
“After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” CISA explained.
This issue only affects the update on Windows Servers used as domain controllers. CISA is still strongly encouraging admins to apply Microsoft’s May updates on client Windows devices and non-domain controller Windows Servers.
Microsoft describes CVE-2022-26925 as a Local Security Authority (LSA) Spoofing vulnerability. LSA allows applications to authenticate and log users on to a local system. Details of the bug have been publicly disclosed and exploits exist for it, according to Microsoft.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft says.
The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft adds.
The company noted the May 10, 2022 update addresses the vulnerability on all servers but urged admins to prioritize the update of domain controllers.
CISA referred admins to Microsoft’s document KB5014754, which detail “certificate-based authentication changes on Windows domain controllers” concerning the May 10 updates for CVE-2022-26931 and CVE-2022-26923. These were an elevation of privilege vulnerability that can happen when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request, according to Microsoft.
“Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways,” Microsoft says.