This month’s patch Tuesday update from Microsoft had two big-news vulnerabilities CVE-2022-26923 And CVE-2022-26931Which Authentication security affected In Windows.
Although they were so-called EOP holes instead of RCE bugs (The height of privilegeInstead more serious problems Remote code execution), They were Yet the critical rateGiven that bugs have been applied to Active Directory (AD) and Windows Domain Controllers (DCs).
Name Domain controller That’s exactly what it says: DC is the server that oversees authentication and access control for users, computers, services, and devices for a complete network domain.
An old Latin satirical poem asks harshly, “Who sees the guards?” (Who will guard the guards themselves?), And in the case of a Windows network, the short answer is that the guard that guards everything else is your domain controller.
In other words, an authentication bypass against your domain controller can quickly compromise almost everything on your network.
Mismanagement Digital Certificate
Simply put, anyone already in your network, even if they are logged in (or compromised) with an account with minimal access rights, can use the domain controller EOP bug Such To give themselves the same kind of power that is usually allowed to your most trusted cisadmins.
Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs seem to apply only if you are using digital certificates for additional authentication protection.
(These are the same digital certificates that browsers and websites use to secure HTTPS connections, or apps that are used to prove to the operating system that they have not been tampered with since being approved for use.)
Apparently, an addition $
Symbol authentication at the end of a computer name can cause a certificate to be mis-verified, such as creating a cunning certificate that identifies the certificate holder in two different and inconsistent ways.
Although these were not RCE bugs; Although they were not already known to cybercriminals; And though attackers need to get into your network first to be able to exploit them.
You can see why Microsoft would consider them as critical bugs.
One step too far
Unfortunately, the KB5014754 In some cases the update has gone too far, and to make it harder for fake users and programs to get to where they shouldn’t be, Microsoft has also locked out some legitimate services.
Some Windows services authenticated with digital certificates were mistakenly viewed in the Active Directory database, and therefore denied access when they should have been accessed.
Microsoft quickly acknowledged the problem, with Elizabeth Tyler Patch of the Detection and Response Team tweeting just two days later on Tuesday:
We are aware (as you can imagine). The main reason we know is that the subject name has been misused to map the certificate to a machine account in AD instead of the subject alternate name DNSHostname in DC 5b installed and we are working on it.
– Elizabeth Tyler (SMSetyler) May 12, 2022
Apparently there was a solution, Microsoft formally explained in its KB5014754 article, but it involved Updating manually A database entry entitled altSecurityIdentities
The active directory of each service is in the database record.
Elizabeth Taylor returned to Twitter today to confirm that this boogie patch has now been patched:
Yes, fixed May 19 and published.
CU:
WS 2022: KB5015013
WS, version 20H2: KB5015020
WS 2019: KB5015018
WS 2016: KB5015019
Unique:
WS 2012 R2: KB5014986
WS 2012: KB5014991
WS 2008 R2 SP1: KB5014987
WS 2008 SP2: KB5014990– Elizabeth Tyler (SMSetyler) May 20, 2022
There is also a numbered knowledgebase article KB5015013 That you can consult for more details.
According to KB5015013, bugs in this out-of-band patch have been fixed for the patch:
- Applies only to domain controllers. Computers of other servers and end users are not affected.
- Affects authentication for only a few Windows services and protocols, E.g. Network Policy Server (NPS), Routing and remote access services (RRAS), Radius, Extensible Authentication Protocol (EAP), and Secure Extensible Authentication Protocol (PEAP).
Patch-to-need-patches inevitably give us our own preferred policy Quick patches, often patches A notoriety.
… But in this case, keep in mind that the original security error has been rated Critical; That incorrect patch did not affect all Windows authentication; There was a solution for those who were willing to hire it; And the return of this patch (leaving all other patch fixes in place on Tuesday) was an effective temporary solution.
And while it’s easy to look back through the rose-colored spectacle and remember a distant past where security patches rarely required patches, it’s a distant past where there were no safety patches to begin with.
(This is also a distant past where almost any stack buffer overflow discovered on Windows was almost certainly exploitable with almost no effort and almost no immediate effect.)
So we’re still going to say, as we wrote about the latest VMware patch a few hours ago: Don’t be late – do it today.