CISA instructs federal agencies to address Microsoft bug

The Cybersecurity and Infrastructure Security Agency gave agencies until July 22 to address a Microsoft security bug hackers could exploit to take over a Windows domain, in guidance issued Friday.

Agencies must apply Microsoft‘s June 2022 patch, which detects anonymous connection attempts and disallows them, to all Windows endpoints.

CISA temporarily removed the Local Security Authority (LSA) spoofing vulnerability from its Known Exploited Vulnerability catalog — which Binding Operational Directive 22-01 released in November requires agencies to remediate — because the patch’s security updates break the authentication of Personal Identity Verification and Common Access Card certificates for many.

“Active Directory now looks for the account’s security identifier (SID) in the certificate or for a strong mapping between the certificate and account,” reads CISA’s follow-up. “This guidance provides information on how the required patches can be applied without breaking certificate authentication.”

The vulnerability, CVE-2022-26925, allows unauthenticated attackers to call a method on the LSA Remote Protocol (RPC) interface and coerce the domain controller to authenticate to them using the Windows New Technology Local Area Network Manager. Microsoft’s patch prevents anonymous connection attempts in LSAPRC.

Microsoft considers the man-in-the-middle attack’s complexity to be high, based on the Common Vulnerability Scoring System.

The patch also remediates two other vulnerabilities: CVE-2022-26923 and CVE-2022-26931.