Windows LSA Spoofing Vulnerability CVE-2022-26925

CVE-2022-26925 is a weakness in the central component of Windows security (the “Local Security Authority” process within Windows) that when exploited allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication. When used in conjunction with an NTLM relay attack there is the potential for remote code execution.

Per Microsoft, “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM.”

Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.

For an attacker to take advantage of this vulnerability they must already have access to the logical network path between the client and resource to perform a man-in-the middle attack.

Identification of Vulnerable Devices

Per Microsoft, “This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”

Special effort should be made to prioritize the remediation of this vulnerability on devices that are both Domain Controllers and vulnerable to NTLM Relay Attacks. The vulnerability severity for these devices is higher at 9.8.

Domain Controllers are potentially vulnerable to NTLM relay attacks when the following Active Directory Certificate Services (AD CS) components are present:

  • Certificate Authority Web Enrollment
  • Certificate Enrollment Web Service

You can identify if the aforementioned services are present on your Windows Server by using the following method:

  • Open a PowerShell prompt and run the following command:
Get-WindowsFeature *ad-certificate*, *adcs*

If “Active Directory Certificate Services” is selected in the results AND either the “Certificate Authority Web Enrollment” OR “Certificate Enrollment Web Service” is selected, your server is potentially at an increased risk for this attack.

Remediation for Vulnerable Devices

Rackspace Technology strongly recommends the following actions:

1- Install the May 2022 patches from Microsoft as recommended in this link:

  • For customers subscribed to Rackspace Technology patching solutions, the associated patch will be applied on regular patching schedules.
  • Customers not subscribed to Rackspace Technology patching solutions are strongly encouraged to fully patch their systems as soon as possible. Customers can patch their systems themselves or contact Rackspace to receive assistance with patching. We will make every effort to accommodate patching requests.

2- If the “Active Directory Certificate Services” role and associated services (i.e. “Certificate Authority Web Enrollment” OR “Certificate Enrollment Web Service”) are installed but you are not using these roles, uninstall the roles using these instructions provided by Microsoft.

Known Issues

Per Microsoft, “After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.”

Should you experience authentication issues after the installation of the May 2022 updates Microsoft has supplied an out-of-band fix detailed in this link.

If you need any further information or assistance regarding this vulnerability, raise a Support Ticket or call your Rackspace Support Team.

Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.