CISA Asks Public Organizations and Governments to Patch LSA Windows Bug


CISA Asks Public Organizations and Governments to Patch LSA Windows Bug


CISA has again added an impactful security bug to Windows devices in the list of bugs that have been exploited out there, after they previously removed this bug from the list in May due to an Issue of Azure Active Directory authentication certification by Microsoft in the May 2022 update. 

This vulnerability is actively being exploited, and the Windows Local Security Authority (LSA) tracks this vulnerability as CVE-2022-26925 and confirms that this vulnerability is a new attack vector PetitPotam Windows NTLM Relay.

Unauthenticated attackers could exploit this bug to force domain controllers to authenticate them remotely via the Windows NT LAN Manager (NTLM) security protocol and possibly, take over the entire Windows domain. 

PetitPotam was discovered by security researcher Gilles Lionel back in July 2021, with Microsoft trying to block new variations that have been unearthed ever since.

But at this point, despite all the efforts Microsoft has tried, the official mitigations and subsequently issued security updates still haven't completely blocked all PetitPotam vectors. 

To put how great this severity is, some cybercriminals have exploited this bug out there. Among them, ransomware affiliate LockFile has compromised Windows domains in the PetitPotam NTLM relay attack to spread malicious payloads.

As CISA has warned when removing CVE-2022-26925 from their Known Exploited Vulnerability Catalog, the May 2022 Patch Tuesday security update that patches this bug also triggers service authentication issues when applied to Windows Server domain controllers. 

Yesterday, the cisa cybersecurity agency has released a new directive to address CVE-2022-26925, which must be followed to prevent attacks from occurring. They also asked the Federal Civilian Executive Branch (FCEB) to apply the Windows update released on June 14 before July 22, 2022. 

Although the main targets of this bug are federal agencies, CISA also called on all organizations, both private and government, to prioritize updates to prevent exploitation of this vulnerability.