Advisory 21

TLP Rating: White

Microsoft Windows LSA Spoofing vulnerability CVE-2022-26925

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory.

Microsoft disclosed a Windows Microsoft Windows LSA Spoofing Vulnerability. On the 5th of July 2022, CERT Vanuatu has received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) of this threat.

CERTVU would like to advise its constituents using Microsoft Products to swiftly act on addressing this threat.

What is it?

CVE-2022-26925 is a weakness in the central component of Windows security (the “ Local Security Authority” process within windows) that when exploited allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication.

For an attacker to take advantage of this vulnerability, they must already have access to the logical network path between the client and the resource to perform a man-in-the middle attack.

Identification of Vulnerable Devices

This bug affects all supported versions of Windows, but especially Domain Controllers (DC). DC should be patched on a priority basis before updating other Servers. Special effort should be made to prioritize the remediation of this vulnerability on devices that are both DC and vulnerable to NTLM Relay Attacks.

Mitigation Process / How do I Stay Safe?

CERTVU strongly recommends the following actions:

  1. Install latest patches from Microsoft
  2. If the “Active Directory Certificate Services” role and associate services (i.e. “Certificate Authority Web Enrollment” OR “Certificate Enrollment Web Service”) are installed but not used, uninstall the roles.

References

  1. https://docs.rackspace.com/support/how-to/windows-lsa-spoofing-vulnerability-cve-2022-26925/#:~:text=CVE%2D2022%2D26925%20is%20a,the%20attacker%20using%20NTLM%20authentication.
  2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925