CISA orders federal agencies to patch Windows bug

The Cybersecurity and Infrastructure Security Agency on Friday said that federal civilian executive branch agencies must apply remediations for a security bug affecting Microsoft devices by July 22.

The vulnerability, tracked as CVE-2022-26925, was temporarily removed from CISA’s Known Exploited Vulnerability Catalog in May because of authentication failures associated with an update that was available at the time. The new guidance released by CISA includes steps to apply Microsoft’s June 2022 security updates — which address the vulnerability — without breaking certificate authentication or causing service outages.

According to Microsoft, the bug is a Local Security Authority (LSA) spoofing vulnerability that could allow an unauthenticated hacker to “coerce the domain controller to authenticate to the attacker using NTLM” — the Windows New Technology LAN Manager security protocol — which could be used to take over the targeted Windows domain. The security update works by detecting and disallowing anonymous connection attempts.

The updates are a fix to the PetitPotam security issue discovered by French researcher Gilles Lionel in 2021, which is particularly dangerous because it could allow attackers to take over large internal corporate networks.

Security researchers at Google on Thursday highlighted CVE-2022-26925 as one of 18 0-days “detected and disclosed as exploited in-the-wild in 2022.”

Although CISA’s Binding Operational Directive only applies to federal agencies, it has strongly recommended that businesses — as well as state, local, tribal and territorial government agencies — prioritize mitigations of these vulnerabilities as well.