Guidance on Applying June Microsoft Patch Tuesday Update for CVE-2022-26925
BACKGROUND
Per CISA’s Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must apply Microsoft’s June 2022 Patch Tuesday update by July 22, 2022. This update also includes remediations for CVE-2022-26923 and CVE-2022-26931, which changed the way certificates are mapped to accounts in Active Directory. These changes break certificate authentication for many federal agencies, due to the way Personal Identity Verification (PIV)/Common Access Card (CAC) certificates are created and used. Active Directory now looks for the account’s security identifier (SID) in the certificate or for a strong mapping between the certificate and account. This guidance provides information on how the required patches can be applied without breaking certificate authentication. For more information on the different types of certificate mappings, read the KB5014754 post.
GUIDANCE
In most agencies, certificate management workflows are separate from IT account management workflows. This means:
- an individual’s Active Directory SID is not added to their PIV/CAC certificates when the certificates are created.
- strong certificate mappings that require information about a specific certificate (e.g., serial number, SHA1 Public Key) do not exist and may require substantial investment to maintain throughout the certificate lifecycle (e.g., a lost PIV requires new certificates to be issued and the Active Directory certificate mapping to be updated).
- PIV/CAC certificates are usually created before any IT accounts are created.
By default, the June 2022 update applies ‘Compatibility Mode’. This mode permits authentication when the SID and strong mapping checks fail, except in cases where the certificate predates the account. As the respective issuance authority for PIV/CAC certificates and AD accounts are functionally separate and independent, PIV/CAC certificates can and often do predate associated AD accounts.
As a result of PIV/CAC certificates not including the SID, users not having a strong certificate mapping, and the certificate predating the account, most authentication attempts will fail when the June 2022 update is installed.
What federal agencies must do:
Per BOD 22-01 and CISA’s Catalog of Known Exploited Vulnerabilities, by July 22, 2022, agencies must address this issue by performing the following actions:
- Apply June 2022 updates to all Windows endpoints. Agencies must install the June 14, 2022, Windows update addressing CVE-2022-26925.
- WARNING: When applied to Microsoft Windows Servers with the domain controller role, this update will break PIV/CAC authentication; the steps below must be followed to prevent service outages.
On Windows servers handling authentication (Domain Controllers), set the two registry keys described below. For more information read the KB5014754 post.- Set the time range that a certificate can predate an account to 10 years. CISA recommends this value to ensure complete coverage of active certificates. Agencies may also determine their own value (PIV/CAC certificates are valid for three years).
|
Registry Subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc |
|
Value |
CertificateBackdatingCompensation |
|
Data Type |
REG_DWORD |
|
Data |
0x12CC0300 |
- Set the enforcement mode to 1 (Compatibility). This is the default value after installation. If enforcement is set to 2 (Full Enforcement), all authentication events without SID or strong mappings will fail.
|
Registry Subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc |
|
Value |
StrongCertificateBindingEnforcement |
|
Data Type |
REG_DWORD |
|
Data |
1 |
Important Note: Microsoft plans to remove ‘Compatibility Mode’ and move all Windows Server devices to ‘Full Enforcement’ mode on November 14, 2023. This change will break authentication if agencies have not created a strong mapping or added SIDs to certificates. CISA and the interagency working group are in active discussions with Microsoft for an improved path forward. At this time, CISA does not recommend agencies pursue migration to a strong mapping.
These keys are provided by Microsoft and have been tested by multiple agencies.
FREQUENTLY ASKED QUESTIONS
What are the risks associated with improperly deploying the update to domain controllers?
This update will break logins using PIV and CAC cards when certificates were issued before the accounts in Active Directory were created, which is a lot of them in many agencies. Agencies must apply the registry key to allow certificates to predate accounts.
Have these steps been tested? How can we be sure this will work?
This configuration was tested in pockets of the DOD and the civilian government, and it seems to resolve the issue. In consultation with Microsoft, CISA believes this path is better than the previous recommendation, which was to essentially disable all certificate mapping checks.
Does the order of deploying updates and registry keys matter?
Microsoft says to deploy the update first, then configure the registry settings.
Does the update only affect new certificates and not current certificates?
After applying the June update, certificates issued using Active Directory Certificate Services (ADCS) will include the SID of the user’s account. However, agencies likely do not use ADCS to issue PIV/CAC certificates.
Additionally, unless the agencies able to update their processes to support “strong” mappings, in order to allow authentication to occur with existing certificates, agencies must set enforcement mode to Compatibility and set the registry to allow certificates to predate accounts. See the instructions above and the Microsoft blog post.
Does this registry key resolve the issue where users are unable to log in with the cache enabled when their certificate was issued prior to their account creation?
Yes, this registry key resolves the issue when certificates were created before accounts.
What happens after November 14, 2023?
On November 14, 2023, Microsoft will disable Compatibility Mode. CISA and other government stakeholders are continuing active discussions with Microsoft on next steps.
Does this workaround work with all known mapping types used in the government?
Yes, to the best of CISA’s knowledge, any existing mapping should still work after deploying this change.
Is this a permanent solution?
No, Microsoft will remove Compatibility Mode on November 14, 2023. CISA is actively working with Microsoft on a long-term solution.
The Microsoft Patch Tuesday update applies to many Microsoft Windows products other than just domain controllers. Are there any concerns or risks associated with deploying the update to other Microsoft Windows endpoints?
To the best of CISA’s knowledge, there are no additional concerns.
Should agencies start migration to strong certificate mapping?
No. Strong mappings may not be appropriate for some valid use cases in the Federal PKI ecosystem. If an agency already has migrated or sees a clear path to migrate with minimal operational impact, they are free to do so. However, CISA is not pushing agencies to migrate until we have clarity with Microsoft on a long-term solution.
Can the enforcement mode be ‘Full Enforcement’ or ‘Disabled’?
Agencies should not set the value to 0 (Disabled) because valuable logging events are not generated with this setting. Setting enforcement mode to 2 (Full Enforcement) will cause authentication events to fail for certificates that do not have a SID or a strong mapping. Agencies should set the value to 1 (Compatibility).