Microsoft’s Patch Tuesday for May 2022
On Tuesday, May 10, Microsoft released fixes for more than 70 security issues, including seven that are rated critical. One of the patched flaws, a Windows Local Security Authority (LSA) spoofing vulnerability, is being actively exploited. In a related story, some users have reported authentication failures after installing the May updates. Microsoft is investigating.
CVE-2022-26923, while “only” a privilege escalation vulnerability, is relatively easy to exploit and exploits have been well documented. Do not overlook this issue. CVE-2022-26925: Take it as another reason to review the configuration of your Windows systems and make sure NTLM is no longer used.
The LSA vulnerability (CVE-2022-26925) is kind of a big deal. While the raw CVSS score is 8.1, Microsoft suggests it warrants a 9.8 in some situations. This flaw allows attackers to exploit a MITM condition to force domain controllers to authenticate with NTLM authentication. Which, in summary, means you’re going to need to roll this one out, but do some testing, you're messing with the authentication stack.
Read more in
The Register: Microsoft closes Windows LSA hole under active attack
KrebsOnSecurity: Microsoft Patch Tuesday, May 2022 Edition
Bleeping Computer: Microsoft: May Windows updates cause AD authentication failures
Microsoft: May 2022 Security Updates