CISA: Here's how to apply this key Windows patch without breaking certificate authentication
The Cybersecurity & Infrastructure Security Agency (CISA) is now advising federal agencies and others to patch a Windows flaw from Microsoft's May Patch Tuesday.
CISA has re-added the Windows flaw CVE-2022-26925 to its Known Exploited Vulnerabilities (KEV) Catalog and has told federal agencies to patch it by 22 July.
Windows 11
The bug is in Windows Local Security Authority (LSA), which "contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM."
SEE: Best Windows laptop 2022: Top notebooks compared
NTLM or NT Lan Manager (NTLM) is a legacy Microsoft authentication protocol for Active Directory that was implemented in Windows 2000. LSA allows applications to authenticate and log users on to a local system.
CISA on May 15 temporarily removed CVE-2022-26925 from the KEV catalog because of login issues customers faced after applying the update on Windows Servers used as domain controllers, that is, Windows servers used for user authentication.
Besides potentially breaking logins for users at many federal agencies, it's also a complicated fix to roll out.
CISA on July 1 noted in separate guidance for applying the patch for CVE-2022-26925 that it contains fixes for two related flaws addressed in the May Patch Tuesday update: CVE-2022-26923, an Active Directory domain services elevation of privilege flaw; and CVE-2022-26931, a Windows Kerberos elevation of privilege vulnerability. (Kerberos is the successor to NTLM for authentication in Active Directory.)
But as CISA explains, these updates caused logins failures at "many federal agencies" that use Personal Identity Verification (PIV)/Common Access Card (CAC) certificates for authentication. The breakage stems from Active Directory -- after the May 2022 update, it looks for "strong mapping between the certificate and account".
To avoid these login issues, CISA now recommends following its steps for setting two registry keys on domain controllers.
The registry key settings allow admins to control whether the domain controller is in "Compatibility Mode" or "Full Enforcement Mode".
Microsoft explains the reason for tighter checks on certificates in Compatibility Mode is that, prior to the May 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name, allowing for spoofing attacks.
Applying the May 2022 security update puts devices in Compatibility Mode. And next year, on May 9, 2023, Microsoft will update all devices to Full Enforcement Mode if they are not already in it.
"Once you have installed the May 10, 2022 Windows updates, devices will be in Compatibility mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can only be weakly mapped to a user, authentication will occur as expected," Microsoft explains in an FAQ.
"However, a warning message will be logged unless the certificate is older than the user. If the certificate is older than the user and Certificate Backdating registry key is not present or the range is outside the backdating compensation, authentication will fail, and an error message will be logged. If the Certificate Backdating registry key is configured, it will log a warning message in the event log if the dates falls within the backdating compensation.
"After you install the May 10, 2022 Windows updates, watch for any warning message that might appear after a month or more. If there are no warning messages, we strongly recommend that you enable Full Enforcement mode on all domain controllers using certificate-based authentication. You can use the KDC registry key to enable Full Enforcement mode."
SEE: Cloud computing security: Five things you are probably doing wrong
But CISA says agencies should not migrate to strong certificate-user mapping yet, partly because it could conflict with some valid use cases in the Federal PKI ecosystem. CISA says it is in discussions with Microsoft to find a less disruptive solution.
CISA says that Microsoft pushing Windows Server devices to 'Full Enforcement' mode in May 2023 "will break authentication if agencies have not created a strong mapping or added SIDs to certificates."
"CISA and the interagency working group are in active discussions with Microsoft for an improved path forward. At this time, CISA does not recommend agencies pursue migration to a strong mapping," CISA says.