The January patching window for your firm has probably come and gone. Has it? While January included a huge release of patches, several releases in other months have provided more than one headache for the patch management community. These are the patches and updates you need to evaluate if you haven't already done so. In January, additional information came out about CVE-2022-41099, the BitLocker Security Feature Bypass Vulnerability. If you've already deployed the November or later security updates to your network and have done nothing else, you aren't done with the evaluation of this update. For this attack to be successful, the attacker needs physical access to your computer. There is much less risk for devices that have physical security and are locked or stored securely. If you have disabled the Windows Recovery Environment partition because you have alternative means to recover and reimage your devices, you are also not at risk. If you are somewhere in the middle you'll need to determine if you need to take action. You must also apply the applicable Windows security update to your WinRE. Besides disabling the recovery partition, you could also use a GitHub script to update the WinRE for this vulnerability and ensure it is patched appropriately. Additional discussions describe the potential for additional attack sequences, but it appears at this point to be an attack sequence that leads us back to theoretical attacks rather than proven attack sequences as well as remembering the long-standing Immutable Law of Security #3: If a bad actor has unrestricted physical access to your computer, it's not your computer anymore. Many administrators are still evaluating the impact of the November Kerberos hardening updates. Any patch installed on your domain controller that includes the November or later updates will have potential impact on your domain. First, determine if these updates will impact your domain. A PowerShell script is available to detect potential authentication issues that may occur in an Active Directory domain after installing these updates. As noted, "Run the script in PowerShell with domain administrator privileges from a machine with AD RSAT tools installed, such as on a domain controller. The script will output any detected compatibility issues found in the domain related to changes made for CVE-2022-37966." As noted in a Microsoft blog, the November updates caused issues with authentication, and Microsoft released an out-of-band update to fix the issue. Many patching administrators skipped over both the November and December updates waiting for issues to shake out. Next, if you can't remember the last time your organization changed the password to the Kerberos account, then you are long overdue to run this script to do so. It's recommended to change the Krbtgt password twice, waiting 24 hours between each change before changing it the second time. This is also the recommended process if you have a compromised Active Directory. It's also recommended to reset all administrator and service account passwords twice. These Kerberos updates are only in audit mode now and will be enforced later. If you are not seeing any such events in your event logs, you should be able to implement the hardening mode in advance by setting the KrbtgtFullPacSignature registry setting or waiting for the enforcement phases. As Microsoft notes, in July 2023 the default setting will be enforced. You want to look for events now before the new settings are enforced. While not enforced at this time, the impact on legacy systems should be investigated. You may need to have your team open support cases to discuss the impact and options with Microsoft. After this patch is enforced, all legacy operating systems will fail to authenticate via Kerberos. The impact of these two patching-related issues is not immediate. Don't wait too long or expect Microsoft to roll back the impact on these two patches. Both are certain to create more work for your BitLocker and AD teams.
This Cyber News was published on www.csoonline.com. Publication date: Wed, 01 Feb 2023 10:11:02 +0000