CISA removes 'PetitPotam' bug from catalog after Microsoft warns of risk to domain controllers

The Cybersecurity and Infrastructure Security Agency (CISA) removed a Microsoft vulnerability from its catalog of known exploited bugs after the company reported issues with how an update addressing the issue affected domain controllers. 

[Here's what's missing: We don't explain what removal would mean. The bug still exists and is being exploited, right? So what does it mean to take it off the list if those things are still happening? Like, the logic is "Here is a list of diseases that kill people. We are removing one of the diseases from the list." In that case, you'd assume the disease is no longer killing people, or has been totally eradicated, right? That's really the interesting thing here: The politics of it. ]

A domain controller is a type of computer server that responds to security authentication requests and verifies users on the domain of a computer network.

CVE-2022-26925 — a vulnerability included in Microsoft’s Patch Tuesday release last week — is a Windows Local Security Authority (LSA) Spoofing vulnerability that was publicly disclosed and is being exploited in the wild, according to Microsoft. 

Allan Liska, senior security architect at Recorded Future, said the vulnerability should be a priority for those in charge of patching systems.

“This vulnerability impacts Windows 7 through 10 and Windows Server 2008 through 2022. Microsoft has rated this vulnerability as important and assigned it a CVSS score of 8.1, though Microsoft notes that the CVSS score can be as high as 9.8 in certain situations,” Liska explained last week. 

“Microsoft patched a similar vulnerability, CVE-2021-36942, in August of last year which was also being exploited in the wild under the name PetitPotam. CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities.”

But on Friday, CISA said it was contacted by Microsoft and told to temporarily remove the vulnerability from its list “due to a risk of authentication failures when the May 10, 2022 Microsoft rollup update is applied to domain controllers.”

“After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller,” CISA explained. 

“Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged. This issue only affects May 10, 2022 updates installed on servers used as domain controllers.”

Experts noted that it is rare for CISA to remove a vulnerability from its Known Exploited Vulnerabilities Catalog but said it has happened before. 

Bugcrowd CTO Casey Ellis told The Record that CISA made the right decision because there is always a risk that there will be unexpected consequences when vendors provide updates, especially if they're released under duress from active exploitation.

“Because the potential for a breach using CVE-2022-26925 may be more disruptive to an organization than the possibility for a breach using that vulnerability, CISA has reverted to advocating proper testing before patch release,” Ellis said. 

“This type of testing is routine procedure, but it's easy to skip through while a vulnerability is actively exploited. CISA has moved the conversation from vulnerability to risk, and signaled to the market that this is the approach they are adopting to these recommendations by granting a temporary removal.”

Viakoo CEO Bud Broomhead said it is surprising things like this don’t happen more often considering how many companies are forced to rush out updates due to the urgency caused by exploitation. 

“Very likely there will soon be a patch that remediates this vulnerability across all Windows instances,” Broomhead said. 

“This should not take away the urgency behind applying security fixes as quickly as possible after it is available.” 

Microsoft released additional guidance for those dealing with the specific situation explained by CISA. 

CVE-2021-36942 relates back to the “PetitPotam” vulnerability discovered by French researchers that Microsoft said it fixed last year. 

Multiple researchers revealed that Microsoft had not actually fixed the vulnerability and several ransomware groups have been seen exploiting it.

Raphael John, who is credited by Microsoft with discovering it, said it was a mistake on Microsoft’s part. 

At the first occurrence I thought that they did not updated their DCs but at the second pentest I knew that the DCs were up to date. After that I analysed that strange behaviour and concluded that MS made a big mistake in one of their updates. 2/2

— Raphael (@raphajohnsec) May 11, 2022