The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has removed a Windows security flaw from its catalog of known exploited vulnerabilities due to Active Directory (AD) authentication issues caused by the May 2022 updates that patch it.
This security bug is an actively exploited Windows LSA spoofing zero-day tracked as CVE-2022-26925, confirmed as a new PetitPotam Windows NTLM Relay attack vector.
Unauthenticated attackers abuse CVE-2022-26925 to force domain controllers to authenticate them remotely via the Windows NT LAN Manager (NTLM) security protocol and, likely, gain control over the entire Windows domain.
May 2022 security updates and AD Auth issues
Microsoft patched it together with 74 other security flaws (two of them also zero-days) as part of the security patches issued on the May 2022 Patch Tuesday.
However, patches for two elevations of privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services (tracked as CVE-2022-26931 and CVE-2022-26923) will also cause service authentication problems when deployed on Windows Server domain controllers.
Before being removed from its Known Exploited Vulnerability Catalog, all Federal Civilian Executive Branch Agencies (FCEB) agencies were required to apply the security updates within three weeks (until June 1, 2022), according to the BOD 22-01 binding operational directive issued in November 2021.
Since Microsoft no longer provides separate installers for each security issue it addresses during Patch Tuesday, installing this month’s security updates will also trigger the AD auth issues since admins can’t choose to install only one of the security updates (i.e., the one to address the new PetitPotam attack vector).
As CISA noted, “installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged.”
“This issue only affects May 10, 2022 updates installed on servers used as domain controllers. Organizations should continue to apply updates to client Windows devices and non-domain controller Windows Servers,” the cybersecurity agency added.
Workaround available for auth problems
Until Microsoft issues an official update to address the AD auth issues caused by installing this month’s security updates, the company recommends manually mapping certificates to a machine account in Active Directory.
“If the preferred mitigation will not work in your environment, please see ‘KB5014754—Certificate-based authentication changes on Windows domain controllers’ for other possible mitigations in the SChannel registry key section,” the company said.
“Any other mitigation except the preferred mitigations might lower or disable security hardening.”
However, Windows admins have shared with BleepingComputer other methods to restore authentication for users impacted by this known issue.
One of them says that the only way they could get some to log in after installing the May 2022 Windows update was to disable the StrongCertificateBindingEnforcement key by setting it to 0.
If not available in the registry on your systems, you can create it from scratch using a REG_DWORD Data Type and set it to 0 to disable the strong certificate mapping check (even though not recommended by Microsoft, this is the only way to allow all users to log in in some environments).