[German]Another small addendum to the November 2022 patchday. With the security updates of November 8, 2022, Microsoft has also initiated a gradual change to the Netlogon and Kerberos protocols. The whole thing will be carried out in several stages until October 2023. The reason is three vulnerabilities (CVE-2022-38023 and CVE-2022-37967) in Windows 8.1 to Windows 11 and the server counterparts. Administrators must react accordingly to ensure that these changes are taken into account in network communication. Addendum: Microsoft has released an out-of-band-update to fix the issue – see Out-of-band updates fixes Kerberos authentication issues on DCs (Nov. 17, 2022).
Vulnerabilities in Windows
The November 8, 2022 Windows updates also address vulnerabilities related to security bypass and elevation of privilege through Privilege Attribute Certificate (PAC) signatures. The security updates in question address Kerberos vulnerabilities where an attacker can digitally alter PAC signatures to elevate privileges. The following Windows versions are affected:
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows 10 Version RTM bis 22H2
- Windows 11 Version 22H1 – 22H2
- Windows Server 2016 – 2022
- Windows Server 2022 Azure Stack HCI Version 22H2
- Windows 11 SE Version 21H2
where the above CVEs refer partly to Windows clients and servers, and partly to Windows servers only. Microsoft has published various support articles on this.
- KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
- KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
- KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
Which Windows versions are affected by which CVE can be found in the KB articles linked above.
Microsoft writes that the affected Windows updates must be installed on all devices, including Windows domain controllers, to protect your environment. It is important to note that all domain controllers in a domain must be updated first. Only then may you switch to enforced mode via update. Microsoft suggests the following procedure:
- Update the Windows domain controllers with a Windows update that was released on or after November 8, 2022.
- Put the Windows domain controller into audit mode by using the registry entries here.
- Monitor the events that are stored in audit mode to secure your environment.
- AEnable enforcement mode to fix CVE-2022-37967 n your environment.
By default, Step 1 does not fix the security issues in CVE-2022-37967 for Windows devices. To fully mitigate the security issue for all devices, you must enter scan mode (as described in Step 2) and then enter force mode (as described in Step 4) on all Windows domain controllers as soon as possible. In step 2, the following registry key is:
by adding the DWORD value KrbtgtFullPacSignature. The value can assume the following states:
- 0 – Disabled
- 1 – New signatures are added, but not verified. (Default setting)
- 2 – Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.
- 3 – Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.
Starting in July 2023, enforcement mode will be enabled on all Windows domain controllers, blocking vulnerable connections from non-compliant devices. At that time, you can no longer disable the update, but you can switch back to the Verification Mode setting. Verification mode will be removed in October 2023, as described in the Timeline of updates to address Kerberos vulnerability CVE-2022-37967.
Microsoft used a staged rollout to mitigate the security issues in CVE-2022-37967 for Windows devices. Here are the dates:
- November 8, 2022 – First deployment phase
- December 13, 2022 – Second deployment phase
- April 11, 2023 – Third deployment phase
- July 11, 2023 – First Enforcement Phase
- October 10, 2023 – Full Enforcement Phase
Details and registration entries can be found in the three KB articles linked above.
Stop: Issues with gMSA and KDC
German blog reader contacted me by e-mail and pointed to the following Twitter post, where issues are addressed.
Kerberos pre-authentication fails because Kerberos-DC has no support for the encryption type. This only occurs if the msDS-SupportedEncryptionTypes property is set. The supported Encryption-Type flags are documented here.
Fabian Bader gives more hints in follow-up tweet (see above), and there is a larger discussion.
Test script to identify AD objects
Get-ADobject -LDAPFilter "(&(!(msDS-SupportedEncryptionTypes:1.2.840.113522.214.171.1243:=4))(|(msDS-SupportedEncryptionTypes:1.2.840.1135126.96.36.1993:=16)(msDS-SupportedEncryptionTypes:1.2.840.1135188.8.131.523:=8)))" -Properties msDS-SupportedEncryptionTypes | Select DistinguishedName, msDS-SupportedEncryptionTypes
He writes about this: Setting it to 28 (RC4+AES128+AES256) may be a workaround, but test this or hold off on patching. Anyone else with this problem?
Addendum: See the comment below, that the detection query form the script above should have 16 instead of 6. The author of the original script has finxed that, and I've amended the code above as well.
Microsoft investigates the problem
Meanwhile, the problem has also reached Microsoft. Microsoft employee Steve Syfuhs has already responded on Twitter and writes:
Not official guidance, but we're seeing reports where certain auths are failing when users have their msDS-SupportedEncryptionTypes attribute explicitly being set to AES only (decimal 24, hex 0x18).
We have another update to the KB pending, with official guidance and cause of the issue. More to follow.
Currently, administrators in the domain controller area should be cautious with the installation of the updates.
On reddit.com there is this mega-thread about problems (thanks to 1ST1 for the link), where you can find hints about the Kerberos problem – including integration of Redhat Linux.
Microsoft has confirmed Kerberos authentication issues after Nov. 2022 update – see Microsoft confirms Kerberos authentication issues after Nov. 2022 updates.
Microsoft Office Updates (November 1, 2022)
Microsoft Security Update Summary (November 8, 2022)
Patchday: Windows 10-Updates (November 8, 2022)
Patchday: Windows 11/Server 2022-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)
Patchday: Microsoft Office Updates (November 8, 2022)
Cookies helps to fund this blog: Cookie settings