Microsoft recently released this month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows. Of most importance is CVE-2022-26925, an “important” spoofing vulnerability in Windows Local Security Authority (LSA) that may turn into a “critical” one if combined with NTLM relay attacks.
To exploit this vulnerability, an unauthenticated attacker could call a method on the LSARPC interface and coerce the Domain Controller to authenticate to the attacker using NTLM. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is commonly referred to as a Meddler-in-the-Middle (MitM) attack.
You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
For a comprehensive list of all vulnerabilities identified on Patch Tuesday, click here.
What You Should Do
Microsoft recommends that organizations prioritize patching domain controllers for this vulnerability. To learn more on how to mitigate this vulnerability, click here.
Also, remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.
Have Questions regarding this Update? Reach out to a member of the BMT for assistance.