Risk Authentication failures from Patch Tuesday
CISA has issues bulletin where it is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures. In some cases updates from May 10, 2022 Microsoft rollup update can cause authentication issues for domain controllers. Installation on Windows Devices and non-domain controller servers will not cause any issue and is still strongly encouraged to apply the latest patches.
After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.
CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and SAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update.
To protect your environment, complete the following steps for certificate-based authentication:
- Update all servers that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication with the May 10, 2022 update (see Compatibility Mode). The May 10, 2022 update will provide audit events that identify certificates that are not compatible with Full Enforcement Mode.
- If no audit event logs are created on domain controllers for one month after installing the update, proceed with enabling Full Enforcement Mode on all domain controllers. By May 9, 2023, all devices will be updated to Full Enforcement Mode. In this mode, if a certificate fails the strong (secure) mapping criteria (see Certificate mappings), authentication will be denied.
Once you have installed the May 10, 2022 Windows updates, devices will be in Compatibility Mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can only be weakly mapped to a user, authentication will occur as expected. However, a warning will be logged unless the certificate is older than the user. If the certificate is older than the user, authentication will fail, and an error will be logged.
References
- https://petri.com/microsoft-may-2022-patch-tuesday-updates-ad-authentication-issues/
- https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey