[German]US CERT CISA (Cybersecurity & Infrastructure Security Agency) has temporarily removed vulnerability CVE-2022-26925 from its Known Exploited Vulnerabilities catalog and warns US organizations not to install the May 2022 updates for Windows on machines that act as domain controllers. This is in response to authentication issues related to the updates and DCs.
Advertising
The CISA warning
The Cybersecurity & Infrastructure Security Agency (US-CERT CISA) warning is found in the following tweet dated May 14, 2022 (brought to my attention here) and can be read in detail in this post. The statement:
CISA is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures when the May 10, 2022 Microsoft rollup update is applied to domain controllers. After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).
CISA does not specify a single update, but all Windows servers in support that act as domain controllers are affected. Microsoft has notified CISA of this issue with mapping certificates to computer accounts on domain controllers. However, installation of the same May 10, 2022 Windows updates is strongly recommended for clients and Windows servers that are not domain controllers. There, the certificate problem does not exist.
The background
As of May 10, 2022, Microsoft has released security updates for all supported versions of Windows (clients and servers) to close the Windows LSA spoofing vulnerability CVE-2022-26925. hrough this vulnerability, an unauthenticated attacker could invoke a method of the LSARPC interface and force domain controllers to authenticate to the attacker using NTLM. The vulnerability has received a CVSS score of 9.8, so it is quite critical. Microsoft recommends prioritizing domain controller updates in the article on CVE-2022-26925.
I had listed the released updates among others in the blog post Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update and also described more details about the vulnerability there. The problem with this approach is that the updates cause authentication failures (certificate errors) when clients or servers try to log into the respective domain controller. I had addressed this in the blog post Windows May 2022 Updates Cause AD Authentication Failure (Server, Client).
Advertising
Microsoft has confirmed the error and is working on a fix (see You might see authentication failures on the server or client for services). A suggested workaround is to manually assign certificates to a machine account in Active Directory. Microsoft has also published ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to protect systems from such attacks. There is also support article KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) on the topic. If the preferred workaround does not work in your environment, see KB5014754—Certificate-based authentication changes on Windows domain controllers for other mitigations in the section about SChannel registry key.
While Microsoft does not recommend uninstalling the update, CISA has now temporarily removed the vulnerability to be closed from the list of known vulnerabilities. This means that administrators do not need to install this update on Windows domain controllers for the time being because of the flaws.
Addendum: Just in case, I've listet the May 2022 security updates for Windows within the blog post Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update. Just check the server relevant updates you have to avoid.
Similar articles:
Microsoft Office Updates (May 3, 2022)
Microsoft Security Update Summary (May 10, 2022)
Patchday: Windows 10-Updates (May 10, 2022)
Patchday: Windows 11/Server 2022-Updates (May 10, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (May 10, 2022)
Patchday: Microsoft Office Updates (May 10, 2022)
Windows, Office: May 2022 Patchday issues and mysteries
Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)
Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update
Windows 11: Update KB5013943 results in application error 0xc0000135
MS-Patchday wrap-up: Issues with April 2022 updates
Windows Server 2022: RDS bug (RDCB role broken) caused by KB5011497, not fixed in May 2022
Windows Update KB5012599: Microsoft plans fix for install error 0x8024200B and 0x800F0831
Windows 11: Update KB5013943 results in application error 0xc0000135
