Advisory 21

TLP Rating: Clear

Microsoft Windows LSA Spoofing vulnerability CVE-2022-26925

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory.

Microsoft disclosed a Windows Microsoft Windows LSA Spoofing Vulnerability. On the 5th of July 2022, CERT Vanuatu has received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) of this threat.

CERTVU would like to advise its constituents using Microsoft Products to swiftly act on addressing this threat.

What is it?

CVE-2022-26925 is a weakness in the central component of Windows security (the “ Local Security Authority” process within windows) that when exploited allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication.

For an attacker to take advantage of this vulnerability, they must already have access to the logical network path between the client and the resource to perform a man-in-the middle attack.

References

  1. https://docs.rackspace.com/support/how-to/windows-lsa-spoofing-vulnerability-cve-2022-26925/#:~:text=CVE%2D2022%2D26925%20is%20a,the%20attacker%20using%20NTLM%20authentication.
  2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925