Last November, Microsoft confirmed an elevation of privilege vulnerability in Windows Kerberos, the identity authentication protocol. Following the confirmation, the company sent out a security fix for servers (KB5019081) as part of that month's Patch Tuesday. This was a staged update, with Phase 1 in November, Phase 2 in December, and now Microsoft says that Phase 3 is coming.
The patch addresses the Windows Kerberos flaw that allows threat actors to change Privilege Attribute Certificate (PAC) signatures (tracked under ID “CVE-2022-37967”). At the time of its discovery and disclosure, the company described the issue in the following way:
“The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.
To help secure your environment, install this Windows update to all devices, including Windows domain controllers.”
Following the Phase 1 and Phase 2 updates in November and December, Microsoft is now moving onto Phase 3. The company has today published a reminder that informs users to remember the deployment. It is scheduled for April 2023 Patch Tuesday, which will be on April 11, 2023.
“Security hardening changes needed on Domain Controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase with the release of updates on April 11, 2023, as outlined in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967. Each phase raises the default minimum for the security hardening changes for CVE-2022-37967 and your environment must be compliant before installing updates for each phase onto your Domain Controller.
If you are using the workaround to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0, you will no longer be able to use this workaround after installing updates released April 11, 2023. Your apps and environment will need to at least be compliant with KrbtgtFullPacSignature subkey to a value of 1 to install these updates on your Domain Controllers.”
Tip of the day: Tired of Windows´s default notification and other system sounds? In our tutorial we show you how to change windows sounds or turn off system sounds entirely.