When looking at the May 2022 Patch Tuesday today, I noticed an update that specifically addresses an LSA Spoofing vulnerability. This vulnerability is specific to Domain Controllers (in the default configuration), so this sparked my interest in the update.
About the vulnerability
A spoofing vulnerability exists in the Windows Local Security Authority (LSA). This vulnerability is described in detail in CVE-2022-26925.
To exploit this vulnerability, an unauthenticated attacker could call a method on the LSARPC interface and coerce the Domain Controller to authenticate to the attacker using NTLM. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is commonly referred to as a Meddler-in-the-Middle (MitM) attack.
As the Common Vulnerability Scoring System (CVSS) v3 score of this vulnerability is 8.1/7.1, but the combined CVSS score would be 9.8, when this vulnerability is chained with the NTLM Relay Attacks on Active Directory Certificate Services (AD CS) outlined in KB5005413.
Raphael John with Bertelsmann Printing Group responsibly disclosed this vulnerability to Microsoft.
About the update
The update detects anonymous connection attempts in LSARPC and disallows it. Additionally, Microsoft recommends following the information in ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to further protect the AD CS environment.
Affected Operating Systems
Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.
CVE-2022-29130 and CVE-2022-22012 are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.
CVE-2022-29131 only applies to Domain Controllers running Windows Server 2019, Windows Server, version 20H2 and Windows Server 2022.
When installing this update on Domain Controllers and running backups from systems running Windows Server 2008 (with Service Pack 2) and Windows Server 2008 R2, the backup software will break.
Microsoft recommends to contact the manufacturer of your backup software for updates and support, after installing the updates that address this vulnerability
Call to Action
I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.