Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update

Windows[German]Another addendum from this week: On patchday, Microsoft closed some vulnerabilities with its security update for Windows on May 10, 2022. One vulnerability (CVE-2022-26925, Windows LSA Spoofing) affects NTLM relay attacks on systems. The updates are another fix to the PetitPotam vulnerability disclosed in 2021. In the meantime, the vulnerability is being exploited for attacks against Active Directory. It should be patched in a timely manner – but update collateral damage is getting in the way in some cases.

Windows LSA spoofing vulnerability CVE-2022-26925

In the blog post Microsoft Security Update Summary (May 10, 2022) , I had already mentioned that the Windows LSA spoofing vulnerability CVE-2022-26925 would be closed by the security updates. Through this vulnerability, an unauthenticated attacker could invoke a method of the LSARPC interface and force domain controllers to authenticate to the attacker using NTLM.

This vulnerability affects all servers, but domain controllers should be prioritized when applying security updates. When the affected security update is installed, this detects anonymous connection attempts in LSARPC and does not allow them. Microsoft has provided updates for the following Windows versions to close the vulnerability.

  • KB5014012: Monthly Rollup for Windows Server 2008 R2 SP1; Windows 7 SP1
  • KB5013999: Security Only for Windows Server 2008 R2 SP1; Windows 7 SP1
  • KB5014010: Monthly Rollup for Windows Server 2008 SP2
  • KB5014006: Security Only for Windows Server 2008 SP2
  • KB5014011: Monthly Rollup for Windows Server 2012 R2; Windows 8.1
  • KB5014001: Security Only for Windows Server 2012 R2; Windows 8.1
  • KB5014017: Monthly Rollup for Windows Server 2012
  • KB5014018: Security Only for Windows Server 2012
  • KB5013963: Windows 10 Version 1507
  • KB5013952: Windows Server 2016; Windows 10 Version 1607
  • KB5013941: Windows Server 2019; Windows 10 Version 1809
  • KB5013942: Windows Server Version 20H2, Windows 10 Version 20H2-21H2
  • KB5013943: Windows 11
  • KB5013944: Windows Server 2022
  • KB5013945: Windows 10 Version 1909

Microsoft has also published the support article ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to protect systems from such attacks. There is also support article KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) on the topic.

The EFS API OpenEncryptedFileRaw(A/W, which is often used in backup software, no longer works on Windows Server 2008 SP2 after installing the security update.

Domain controller patching preferred

The vulnerability has received a CVSS score of 9.8, so it is quite critical. Microsoft recommends giving priority to updating domain controllers in the article on CVE-2022-26925. . Blog reader Daniele points out in this comment that the "Active Directory vulnerability is already a target of attacks." Microsoft writes in the article on CVE-2022-26925 that the vulnerability is already being exploited.

Updates patch PetitPotam again

French security researcher Gilles Lionel (alias Topotam) had published a proof of concept (PoC) in July 2021 for exploiting an NTLM relay attack that can take over Windows domain controllers (see also PetitPotam attack allows Windows domain takeover). It does so by using a method to force a domain controller to authenticate to a malicious NTLM relay. This allows then to forward the request over HTTP to a domain's Active Directory certificate services. Ultimately, the attacker receives a Kerberos ticket (TGT) that could be used to assume the identity of any device on the network, including a domain controller.

All Windows Server variants still in support were affected. This so-called Windows LSA spoofing vulnerability CVE-2021-36942 was closed with the regular security updates on August 10, 2021. However, there was another attack vector for which Acros-Security then provided a 0patch fix (see 2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)).

However, there was a bug after a DCOM hardening by the September 2021 patch – I had pointed out corresponding reader information in the German blog post Windows-Schwachstelle CVE-2021-36942 (Petitpotam) und DCOM-Härtung. Now the colleagues of Bleeping Computer have asked Microsoft and learned that the now closed vulnerability belongs to the PetitPotam vulnerability. In this tweet, Nicolas Krassas points to this article from Bleeping Computer, which discusses a new patch for the PetitPotam vulnerability.

PetitPotam-Patch May 2022

According to the above, the May 2022 security updates should be applied promptly. However, there are numerous problems with the installation of the updates that stand in the way of this undertaking, which I addressed in the blog post Windows, Office: May 2022 Patchday issues and mysteries. I would like to highlight Error 0xc0000135, which is caused by cumulative update KB5013943 for Windows 11, and blocks the execution of numerous applications. The problem is described in more detail and with troubleshooting options in the post Windows 11: Update KB5013943 results in application error 0xc0000135. According to my information, Windows Server version 20H2 and Windows 10 version 20H2-21H2 are affected by update KB5013942.

In addition, yes, there are 802.1x certificate issues on DCs and NPS servers, which are also addressed in the blog post Windows, Office: May 2022 Patchday issues and mysteries and in the article Windows May 2022 Updates Cause AD Authentication Failure (Server, Client).

Similar articles:
Microsoft Office Updates (May 3, 2022)
Microsoft Security Update Summary (May 10, 2022)
Patchday: Windows 10-Updates (May 10, 2022)
Patchday: Windows 11/Server 2022-Updates (May 10, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (May 10, 2022)
Patchday: Microsoft Office Updates (May 10, 2022)

Windows, Office: May 2022 Patchday issues and mysteries

PetitPotam attack allows Windows domain takeover
Microsoft's mitigations of Windows PetitPotam NTLM relay attacks
Microsoft Security Update Revisions (July 29, 2021)
PetitPotam attacks on Windows blocked by RPC filters
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *