CISA: Here’s How to Apply This Key Windows Patch Without Breaking Certificate Authentication


The Cybersecurity & Infrastructure Security Agency (CISA) is now advising federal and other agencies to patch a Windows flaw starting with Microsoft’s May patch on Tuesday.

CISA has added Windows CVE-2022-26925 to its Catalog of Known Exploited Vulnerabilities (KEVs) and has asked federal agencies to fix it by July 22.

The bug is in Windows Local Security Authority (LSA), which “contains a spoofing vulnerability where an attacker can cause the domain controller to authenticate to the attacker using NTLM.”

NTLM or NT Lan Manager (NTLM) is a legacy Microsoft authentication protocol for Active Directory that was implemented in Windows 2000. LSA allows applications to authenticate and log users into a local system.

On May 15, CISA temporarily removed CVE-2022-26925 from the KEV catalog due to connection issues experienced by customers after applying the update on Windows servers used as domain controllers, i.e.- i.e. Windows servers used for user authentication.

In addition to potentially breaking connections for users at many federal agencies, it’s also a complicated solution to deploy.

On July 1, the CISA noted in separate guidelines for applying the patch for CVE-2022-26925 that it contains fixes for two related vulnerabilities fixed in Tuesday’s May patch update: CVE-2022 -26923, an Active Directory Domain Services elevation of privilege flaw; and CVE-2022-26931, a Windows Kerberos elevation of privilege vulnerability. (Kerberos is NTLM’s successor for authentication in Active Directory).

But as CISA explains, these updates caused login failures at “many federal agencies” that use Personal Identity Verification (PIV)/Common Access Card (CAC) certificates for authentication. The break comes from Active Directory, after the May 2022 update, looks for “a strong mapping between certificate and account”.

To avoid these connection issues, CISA now recommends following its steps to set two registry keys on domain controllers.

Registry key settings allow administrators to control whether the domain controller is in “compatibility mode” or “full application mode”.

Microsoft explains that the reason for the tighter certificate checks in compatibility mode is that prior to the May 2022 security update, certificate-based authentication did not consider the dollar sign ($) at the end of the name of a machine, which allowed spoofing attacks.

Applying the May 2022 security update puts devices in compatibility mode. And next year, on May 9, 2023, Microsoft will update all devices to full app mode if they aren’t there already.

“Once you install Windows 10 May 2022 Updates, devices will be in compatibility mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate cannot be that weakly mapped to a user, authentication will occur as expected,” Microsoft explains in an FAQ.

“However, a warning message will be logged unless the certificate is older than the user. If the certificate is older than the user and the certificate backdating registry key is not present or the range is outside the backdate compensation, authentication will fail and an error If the certificate backdate registry key is configured, it will write a warning message to the event log if the dates are included in the backdating compensation.

“After installing Windows 10 May 2022 Updates, watch for any warning messages that may appear after a month or more. If there is no warning message, we strongly recommend that you enable full enforcement mode on all domain controllers using authentications. You can use the KDC registry key to enable full enforcement mode.”

But CISA says agencies shouldn’t migrate to strong certificate user mapping just yet, in part because it could conflict with some valid use cases in the federal PKI ecosystem. CISA says it is in talks with Microsoft to find a less disruptive solution.

CISA says Microsoft pushing Windows Server devices into “Full Enforcement” mode in May 2023 “will break authentication if agencies haven’t created strong mapping or added SIDs to certificates.”

“CISA and the Interagency Working Group are in active discussions with Microsoft to improve the way forward. At this time, CISA does not not recommend that agencies continue the migration to robust mapping,” says CISA.


Comments are closed.