Microsoft patches from November 2022 cause problems

Overview

Update history

Update from November 18th – chapter „final solution“ updated with „out of band“ update reference

Update from November 16th – „official workaround“ announced on twitter – added chapter „official workaround“

Update from November 15th – added estimated solution delivery date in „final solution“ chapter

Update from November 14th – added an „intermediate solution“ chapter

Update from November 13th – added more references

Overview

On Patch Tuesday in November 2022 Microsoft addressed around 70 vulnerabilities.
Three vulnerabilities are specific to Windows Server installations with the Domain Controller role installed.
The November update may lead to severe „Kerberos pre authencation“ problems with impact on applications and infrastructure services.

The following CVEs are the ones we care for:

Just to make it clear in the beginning of this advisory. Microsoft is aware of this – it is a bug in the update:

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#2953msgdesc

Symptoms

Depending on your configuration you may encounter one ore more of the following issues:

    • You cannot login to a server with the error „the encryption type is not supported by the kdc“
    • ADFS is running but not working
    • Azure AD Reverse Proxy is not working
    • Group Managed Service Accounts stop working with Kerberos pre-authentication failed errors
    • PIV smart card authentication fails
    • Event with ID „4771“ is logged in the event log – just as shown in the following screenshot

Background

The issues revolves around the supported Kerberos encryption types. These can be configured on computer and user objects.

For user objects this is done Active Directory Users in Computers either in the attribute editor or by setting these checkboxes:

 

For computer objects this can be done by the group policy  „Network security: Configure encryption types allowed for Kerberos“ by an hardening solution or by editing the registry:

 

There are corresponding KB articles from Microsoft which are referenced here for better research capabilities:

For CVE-2022-37966 it is KB5021131, referenced here:

For CVE-2022-37967 it is KB5020805, referenced here: 

For CVE-2022-38023 it is KB5021130, referenced here:

This is an evolving issue. We will update this article when new information turn up.

Advisory

Giving an advise is rather complex and depending on your current situation – we documented some approaches based on two conditions, patch status and configuration status of „Kerberos encryption types“.

Situation 1

The following conditions apply:

    • Patched: No
    • Kerberos encryption types configured: No

In this case you should, to our current understanding, be able to roll out the patches and not encounter the issues.

Testing in a test environment is highly recommended.

Situation 2

The following conditions apply:

    • Patched: No
    • Kerberos encryption types configured: Yes

You have two options.

    • Do not patch and wait for a fix from Microsoft (MS is aware of the sitation)
    • Configure Kerberos Encryption Types to include RC4 on computer accounts and remove the value from the msds-SupportedEncryptionTypes attribute on user account. Patch afterwards.

Both options have risks associated. If you do not patch you are vulnerable to the attacks mentioned in the CVEs above.

If you do the reconfigureation you still might face issues we are not aware of yet.

In the end the decision is up to you but we tend to postpone patching.

Situation 3

The following conditions apply:

    • Patched: Yes
    • Kerberos encryption types configured: Yes

Again, two options:

    1. You can either uninstall the patches or
    2. Execute the following steps based on our actual research:
      1. Remove the value from the msds-SupportedEncryptionTypes attribute on user account
      2. Configure the group policy „Network security: Configure encryption types allowed for Kerberos“ to include RC4 (or equal configuration in your system hardening tool)
      3. Assing this group policy to all computer accounts including domain controller objects or deploy these settings via your system hardening tool
      4. Force a „gpupdate“ or wait at least 90 minutes for next „gpupdate“.

For uninstalling the already installed patch you can use graphical or command line tools. We prefer command line as we just need to copy&paste, avoid mistakes and are lazy 😉

For uninstalling the security patch you can for example use the following command line example:

.\wusa.exe /uninstall /KB:XXXXXX /quiet /norestart

The KB parameter holds the relevant KB number, which is specific per operating system. For example, for Windows Server 2019 it is KB5019966 and for Windows Server 2022 it is KB5019081.

Intermediate solution or „offical workaround“

There seems to be solution out there – we are at this point of time not sure about the impact but it is worth to share:

Link to a Microsoft forum and Reddit thread:

Seemingly adding a reg key could solve the problem:

reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f

We can confirm it is working in our test lab. Please test accordingly – a simple script to check is to get latest Events with ID „4771“ of Security event log and then correlate using the time stamp.

Get-EventLog -LogName Security -InstanceId 4771 -newest 10

After applying the „fix“ via the reg key no more events are generated.

The official workaround was announced on Twitter:

See here: https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

Screenshot below:

As of now the relevant KB article does not seem to reflect the changes worldwide – we are waiting for it…

Final solution

Microsoft released an  Out-of-band (OOB) security update. More details here:

https://learn.microsoft.com/en-us/windows/release-health/windows-message-center?s=09#2961

For different versions check fix for Domain Controllers out here:

Cumulative updates:

References

Out of band security update

November Patch Tuesday problems – check Domain Controller prior to patching with November updates

Intermediate solution

Interesting Twitter discussion with some backgrounds

Find all possible affected AD objects from the CVE-2022-37966 bug

Leave a Reply