CISA re-added CVE-2022-26925 to its list of Known Exploited Vulnerabilities this past Friday after removing it due to authentication failures caused by the May 10, 2022 Microsoft rollup update:
“After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).”
CVE-2022-26925 is a Windows Local Security Authority spoofing zero-day (CWE-290) that unauthenticated attackers can exploit remotely to escalate privileges and compromise the domain.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM,” writes Microsoft in an advisory from May.
CVE-2022-26925 might cause feelings of déjà vu to anyone that remembers PetitPotam (CVE-2021-36942) from 2021.
According to Raphael John, the attributed discoverer of the new NTLM Relay vulnerability, on Twitter, “The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident 😉 During my pentests in January and March i saw that PetitPotam worked against the DCs.”
While this might not be an entirely new CVE, CISA has ordered it to be patched by July 22, 2022. Regarding the authentication issues related to the patch released by Microsoft, CISA has also released guidance on applying this patch and resolving the PIV/CAC authentication issues. The work around involves manually setting two registry keys that have been provided by Microsoft: the time range that a certificate can predate an account and the enforcement mode.
CISA also notes that the keys have been tested by “multiple agencies.”
#vicarius_blog #cisa_analysis
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
