KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

Summary

The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.

To help secure your environment, install this Windows update to all devices, including Windows domain controllers. All domain controllers in your domain must be updated first before switching the update to Enforced mode.

Take Action

To help protect your environment and prevent outages, we recommend that you do the following steps:

UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.
MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.
MONITOR events filed during Audit mode to secure your environment.
ENABLE Enforcement mode to address CVE-2022-37967 in your environment.

Note Step 1 of installing updates released on or after November 8, 2022 will NOT address the security issues in CVE-2022-37967 for Windows devices by default. To fully mitigate the security issue for all devices, you must move to Audit mode (described in Step 2) followed by Enforced mode (described in Step 4) as soon as possible on all Windows domain controllers.

Important Starting July 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Audit mode setting. Audit mode will be removed in October 2023, as outlined in the Timing of updates to address Kerberos vulnerability CVE-2022-37967 section.

Timing of updates to address CVE-2022-37967

Updates will be released in phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after June 13, 2023.

November 8, 2022 – Initial deployment phase

The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. This update adds signatures to the Kerberos PAC buffer but does not check for signatures during authentication. Thus, secure mode is disabled by default.

This update:

Adds PAC signatures to the Kerberos PAC buffer.
Adds measures to address security bypass vulnerability in the Kerberos protocol.

December 13, 2022 – Second deployment phase

The second deployment phase starts with updates released on December 13, 2022. These and later updates make changes to the Kerberos protocol to audit Windows devices by moving Windows domain controllers to Audit mode.

With this update, all devices will be in Audit mode by default:

If the signature is either missing or invalid, authentication is allowed. Additionally, an audit log will be created.
If the signature is missing, raise an event and allow the authentication.
If the signature is present, validate it. If the signature is incorrect, raise an event and allow the authentication.

June 13, 2023 – Third deployment phase

The Windows updates released on or after June 13, 2023 will do the following:

Remove the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.

July 11, 2023 – Initial Enforcement phase

October 10, 2023 – Full Enforcement phase

Deployment guidelines

To deploy the Windows updates that are dated November 8, 2022 or later Windows updates, follow these steps:

UPDATE your Windows domain controllers with an update released on or after November 8, 2022.
MOVE your domain controllers to Audit mode by using the Registry Key setting section.
MONITOR events filed during Audit mode to help secure your environment.
ENABLE Enforcement mode to address CVE-2022-37967 in your environment.

STEP 1: UPDATE

Deploy the November 8, 2022 or later updates to all applicable Windows domain controllers (DCs). After deploying the update, Windows domain controllers that have been updated will have signatures added to the Kerberos PAC Buffer and will be insecure by default (PAC signature is not validated).

While updating, make sure to keep the KrbtgtFullPacSignature registry value in the default state until all Windows domain controllers are updated.

STEP 2: MOVE

Once the Windows domain controllers are updated, switch to Audit mode by changing the KrbtgtFullPacSignature value to 2.

STEP 3: FIND/MONITOR

Identify areas that either are missing PAC signatures or have PAC Signatures that fail validation through the Event Logs triggered during Audit mode.

Make sure that the domain functional level is set to at least 2008 or greater before moving to Enforcement mode. Moving to Enforcement mode with domains in the 2003 domain functional level may result in authentication failures.
Audit events will appear if your domain is not fully updated, or if outstanding previously-issued service tickets still exist in your domain.
Continue to monitor for additional event logs filed that indicate either missing PAC signatures or validation failures of existing PAC signatures.
After the entire domain is updated and all outstanding tickets have expired, the audit events should no longer appear. Then, you should be able to move to Enforcement mode with no failures.

STEP 4: ENABLE

Enable Enforcement mode to address CVE-2022-37967 in your environment.

Once all audit events have been resolved and no longer appear, move your domains to Enforcement mode by updating the KrbtgtFullPacSignature registry value as described in Registry Key settings section.
If a service ticket has invalid PAC signature or is missing PAC signatures, validation will fail and an error event will be logged.

Registry Key settings

Kerberos protocol

After installing the Windows updates that are dated on or after November 8, 2022, the following registry key is available for the Kerberos protocol:

KrbtgtFullPacSignature

This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary, and will no longer be read after the full Enforcement date of October 10, 2023.

RegistrykeyHKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
ValueKrbtgtFullPacSignature
Data typeREG_DWORD
Data0 – Disabled
1 – New signatures are added, but not verified. (Default setting)
2 – Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.
3 – Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.
Restart required?No
Note If you need to change the KrbtgtFullPacSignature registry value, manually add and then configure the registry key to override the default value.

Windows events related to CVE-2022-37967

In Audit mode, you may find either of the following errors if PAC Signatures are missing or invalid. If this issue continues during Enforcement mode, these events will be logged as errors.

If you find either error on your device, it is likely that all Windows domain controllers in your domain are not up to date with a November 8, 2022 or later Windows update. To mitigate the issues, you will need to investigate your domain further to find Windows domain controllers that are not up to date.

Note If you find an error with Event ID 42, please see KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966.

Full PAC Signature Failed

Event Log	System
Event Type	Warning
Event Source	Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID	43
Event Text	The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more. Client : <realm>/<Name>

Full PAC Signature Missing

Third-party devices implementing Kerberos protocol

Domains that have third-party domain controllers might see errors in Enforcement mode.

Domains with third-party clients might take longer to fully be cleared of audit events following the installation of a November 8, 2022 or later Windows update.

Contact the device manufacturer (OEM) or software vendor to determine if their software is compatible with the latest protocol change.

For information about protocol updates, see the Windows Protocol topic on the Microsoft website.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please don’t forget to like and share the post.Also join our Active Directory page and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below ActiveDirectory email id.

If you have any questions feel free to contact us on admin@activedirectory.in also follow us on facebook page to get updates about new blog posts.

Vipan Kumar

He is an Active Directory Consultant. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@activedirectory.in. Please subscribe our Facebook page as well website for latest article.