Microsoft released a patch for Windows Local Security Authority (LSA) spoofing recently. This was one among the 74 security flaws reported to be fixed with the new patch, including 7 critical, 66 deemed important and 1 low severity.
Windows LSA spoofing vulnerability (CVE-2022-26925) is being wildly exploited. As per Microsoft an unauthorised bad actor will be able to “coerce the domain controller to authenticate to the attacker using NTLM.” A bad-actor, via man-in-the-middle attack can easily exploit this vulnerability. They inject themselves into the logical network path between the target and the resource requested. The bug individually has a 8.3 CVSS severity score but when combined with NTLM relay attacks, the combined severity score is would be 9.8, according to Microsoft.
Cybersecurity and Infrastructure Security Agency (CISA) have added this vulnerability in their “Must-Patch” list because federal agencies are advised to patch the vulnerabilities within a specified timeframe. Microsoft is giving further mitigation instructions for this vulnerability, as well as a default configuration for Windows servers with specified roles enabled, which permits exploitation of the vulnerability.
“The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident. During my pentests in January and March, I saw that PetitPotam worked against the [domain controllers],” said Raphael John from Bertelsmann Printing Group, who has been credited by Microsoft for reporting CVE-2022-26925 on Twitter.
Microsoft has addressed this vulnerability with the May patches release and warned at the time that the vulnerability has been publicly disclosed and exploited in attacks. The May 10 upgrade should not cause issues on client devices or non-domain controller servers, according to CISA, and users should continue to install it on these devices.
It describes the context by which the vulnerability exploitation is possible. In this case, it is the Network. The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire Internet.
It describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. In this case, it is High. requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.
It describes the level of privileges the attacker must have in order to exploit the vulnerability. In this case, it is None. The attacker is unauthorized and requires no access to settings or files to perform an attack.
It describes the requirement for a user other than the attacker to perform a successful attack. It is None in this case. The vulnerable system can be exploited without any user interaction.
It shows the if components other than the vulnerable component are affected with the attack when the vulnerability is exploited. Base score increases if so. It is Unchanged in this case as this vulnerability, when exploited, can affect only the resources managed by same security authority.
It measures the impact to the confidentiality of information resources managed by a software component due to a successful exploitation. In this case, it is High as there is a total loss of confidentiality.
It measures the impact to the integrity of a successful exploitation. It is High in this case as there is a total loss of integrity.
It measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
This vulnerability is actively under exploitation, and we recommend updating the new Windows May patch. With Clear Infosec Threat Intelligence Bulletin, stay update of the new threats and stay fortified.