search cancel

Microsoft Windows NTLM (Zero Day Vulnerability CVE-2022-26925) with Identity Manager Connector Servers

book

Article ID: 243830

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

On May 10th, 2022, a zero-day vulnerability was reported in the Windows Operating System which, when exploited, allows an attacker to authenticate to a domain controller. The vulnerability has a high complexity as it involves both a MiTM attack, as well as a new technology LAN manager (NTLM) relay attack.

https://cve.report/CVE-2022-26925

 

Environment

Release : 14.3

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

my team reviewed the CVE report, and explored Microsofts articles on this, specifically:
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003

https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
and:
https://msrc-blog.microsoft.com/2009/12/08/extended-protection-for-authentication/


Per these documents, this appears to be a vulnerability within Windows, and the mitigation actions are on both the Windows servers and Windows clients and do not see any actions that would need to be performed in our software or could be performed in our software to prevent this exploitation.   

This link indicates this was removed from the vulnerability list and directs you to apply the Microsoft Patches on each client machine:
https://www.cisa.gov/uscert/ncas/current-activity/2022/05/13/cisa-temporarily-removes-cve-2022-26925-known-exploited