Applies ToWindows Server 2022 Windows Server 2019, all editions Windows Server 2016, all editions Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU

Updated

April 10, 2023: Updated the "Third deployment phase" from April 11, 2023 to June 13, 2023 in the "Timing of updates to address CVE-2022-37967" section.

In this article

Summary

The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.

To help secure your environment, install this Windows update to all devices, including Windows domain controllers. All domain controllers in your domain must be updated first before switching the update to Enforced mode.

To learn more about this vulnerabilities, see CVE-2022-37967.

Take Action

To help protect your environment and prevent outages, we recommend that you do the following steps:

  1. UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.

  2. MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.

  3. MONITOR events filed during Audit mode to secure your environment.

  4. ENABLE Enforcement mode to address CVE-2022-37967 in your environment.

Note Step 1 of installing updates released on or after November 8, 2022 will NOT address the security issues in CVE-2022-37967 for Windows devices by default. To fully mitigate the security issue for all devices, you must move to Audit mode (described in Step 2) followed by Enforced mode (described in Step 4) as soon as possible on all Windows domain controllers.

Important Starting July 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.  At that time, you will not be able to disable the update, but may move back to the Audit mode setting. Audit mode will be removed in October 2023, as outlined in the Timing of updates to address Kerberos vulnerability CVE-2022-37967 section.

Timing of updates to address CVE-2022-37967

Updates will be released in phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after June 13, 2023.

The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. This update adds signatures to the Kerberos PAC buffer but does not check for signatures during authentication. Thus, secure mode is disabled by default.

This update:

  • Adds PAC signatures to the Kerberos PAC buffer.

  • Adds measures to address security bypass vulnerability in the Kerberos protocol.

The second deployment phase starts with updates released on December 13, 2022. These and later updates make changes to the Kerberos protocol to audit Windows devices by moving Windows domain controllers to Audit mode.

With this update, all devices will be in Audit mode by default:

  • If the signature is either missing or invalid, authentication is allowed. Additionally, an audit log will be created. 

  • If the signature is missing, raise an event and allow the authentication.

  • If the signature is present, validate it. If the signature is incorrect, raise an event and allow the authentication.

The Windows updates released on or after June 13, 2023 will do the following: 

  • Remove the ability to disable PAC signature addition by setting the  KrbtgtFullPacSignature subkey to a value of 0.

The Windows updates released on or after July 11, 2023 will do the following: 

  • Removes the ability to set value 1 for the KrbtgtFullPacSignature subkey.

  • Moves the update to Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can be overridden by an Administrator with an explicit Audit setting.

The Windows updates released on or after October 10, 2023 will do the following: 

  • Removes support for the registry subkey KrbtgtFullPacSignature.

  • Removes support for Audit mode.

  • All service tickets without the new PAC signatures will be denied authentication.

Deployment guidelines

To deploy the Windows updates that are dated November 8, 2022 or later Windows updates, follow these steps:

  1. UPDATE your Windows domain controllers with an update released on or after November 8, 2022.

  2. MOVE your domain controllers to Audit mode by using the Registry Key setting section.

  3. MONITOR events filed during Audit mode to help secure your environment.

  4. ENABLE Enforcement mode to address CVE-2022-37967 in your environment.

STEP 1: UPDATE 

Deploy the November 8, 2022 or later updates to all applicable Windows domain controllers (DCs). After deploying the update, Windows domain controllers that have been updated will have signatures added to the Kerberos PAC Buffer and will be insecure by default (PAC signature is not validated).

  • While updating, make sure to keep the KrbtgtFullPacSignature registry value in the default state until all Windows domain controllers are updated.

STEP 2: MOVE 

Once the Windows domain controllers are updated, switch to Audit mode by changing the KrbtgtFullPacSignature value to 2.  

STEP 3: FIND/MONITOR 

Identify areas that either are missing PAC signatures or have PAC Signatures that fail validation through the Event Logs triggered during Audit mode.   

  • Make sure that the domain functional level is set to at least 2008 or greater before moving to Enforcement mode. Moving to Enforcement mode with domains in the 2003 domain functional level may result in authentication failures.

  • Audit events will appear if your domain is not fully updated, or if outstanding previously-issued service tickets still exist in your domain.

  • Continue to monitor for additional event logs filed that indicate either missing PAC signatures or validation failures of existing PAC signatures.

  • After the entire domain is updated and all outstanding tickets have expired, the audit events should no longer appear. Then, you should be able to move to Enforcement mode with no failures.

STEP 4: ENABLE 

Enable Enforcement mode to address CVE-2022-37967 in your environment.

  • Once all audit events have been resolved and no longer appear, move your domains to Enforcement mode by updating the KrbtgtFullPacSignature registry value as described in Registry Key settings section.

  • If a service ticket has invalid PAC signature or is missing PAC signatures, validation will fail and an error event will be logged.

Registry Key settings

Kerberos protocol

After installing the Windows updates that are dated on or after November 8, 2022, the following registry key is available for the Kerberos protocol:

  • KrbtgtFullPacSignature This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary, and will no longer be read after the full Enforcement date of October 10, 2023. 

    Registry key

    HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc

    Value

    KrbtgtFullPacSignature

    Data type

    REG_DWORD

    Data

    0 – Disabled  

    1 – New signatures are added, but not verified. (Default setting)

    2 - Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.

    3 - Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.

    Restart required?

    No

    Note If you need to change the KrbtgtFullPacSignature registry value, manually add and then configure the registry key to override the default value.

Windows events related to CVE-2022-37967

In Audit mode, you may find either of the following errors if PAC Signatures are missing or invalid. If this issue continues during Enforcement mode, these events will be logged as errors.

If you find either error on your device, it is likely that all Windows domain controllers in your domain are not up to date with a November 8, 2022 or later Windows update. To mitigate the issues, you will need to investigate your domain further to find Windows domain controllers that are not up to date.  

Note If you find an error with Event ID 42, please see KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966.

Event Log

System

Event Type

Warning

Event Source

Microsoft-Windows-Kerberos-Key-Distribution-Center

Event ID

43

Event Text

The Key Distribution Center (KDC) encountered a ticket that it could not validate the  full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more. Client : <realm>/<Name>

Event log

System

Event type

Warning

Event Source

Microsoft-Windows-Kerberos-Key-Distribution-Center

Event ID

44

Event text

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more. Client : <realm>/<Name>

Third-party devices implementing Kerberos protocol

Domains that have third-party domain controllers might see errors in Enforcement mode.

Domains with third-party clients might take longer to fully be cleared of audit events following the installation of a November 8, 2022 or later Windows update.

Contact the device manufacturer (OEM) or software vendor to determine if their software is compatible with the latest protocol change.

For information about protocol updates, see the Windows Protocol topic on the Microsoft website.

Glossary

Kerberos is a computer network authentication protocol which works based on “tickets” to allow for nodes communicating over a network to prove their identity to one another in a secure manner.

The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves. KDCs are integrated into the domain controller role. It is a network service that supplies tickets to clients for use in authenticating to services.

Privilege Attribute Certificate (PAC) is a structure that conveys authorization-related information provided by domain controllers (DCs). For more information, see Privilege Attribute Certificate Data Structure.

A special type of ticket that can be used to obtain other tickets. The Ticket-granting Ticket (TGT) is obtained after the initial authentication in the Authentication Service (AS) exchange; thereafter, users do not need to present their credentials, but can use the TGT to obtain subsequent tickets.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.