CISA: Do not install May Windows Patch Tuesday updates on domain controllers

Microsoft has fixed a Windows Local Security Authority (LSA) spoofing vulnerability tracked as CVE-2022-26925 with its latest Patch Tuesday updates. The high-severity flaw allowed unauthenticated attackers to call a method anonymously and force the domain controller (DC) to authenticate them via NTLM. In the worst case, this could result in an escalation of privileges and an attacker taking control of your entire domain.

Detailing this vulnerability is important because the United States Cybersecurity and Infrastructure Security Agency (CISA) had instructed Federal Civilian Executive (FCEB) agencies to install these updates within three weeks to protect against against this attack surface and others. However, it has now removed this requirement as the latest Patch Tuesday updates also cause authentication issues when installed on domain controllers – which we discussed earlier.

These issues are mainly caused by two patches for Windows Kerberos and Active Directory Domain Services, tracked as CVE-2022-26931 and CVE-2022-26923, respectively. And since it’s not possible to choose which patches you want to install, CISA no longer encourages IT admins to install May Patch Tuesday on DCs. A note on the announcement reads:

Installing updates released on May 10, 2022 on client Windows devices and non-domain controller Windows servers will not cause this issue and is still strongly encouraged. This issue only affects May 10, 2022 updates installed on servers used as domain controllers. Organizations should continue to apply updates to client Windows devices and non-domain controller Windows servers.

For now, Microsoft has provided a workaround which is to manually map the certificates. He also strongly emphasized that applying any other mitigations can negatively affect your organization’s security posture.

Since CISA has discouraged the FCEB from fully installing the May Patch Tuesday update on Windows Server DCs, Microsoft will likely want to release a more permanent fix as soon as possible.

Source: CISA via BleepingComputer