Change log
Change 1: June 19, 2023:
|
In this article
Summary
The Windows updates released on or after November 8, 2022 address security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.
This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already.
To help secure your environment, install Windows updates released on or after November 8, 2022, to all devices, including domain controllers. See Change 1.
To learn more about these vulnerabilities, see CVE-2022-37966.
Discovering Explicitly Set Session Key Encryption Types
You may have explicitly defined encryption types on your user accounts that are vulnerable to CVE-2022-37966. Look for accounts where DES / RC4 is explicitly enabled but not AES using the following Active Directory query:
-
Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"
Registry Key settings
After installing the Windows updates that are dated on or after November 8, 2022, the following registry key is available for the Kerberos protocol:
DefaultDomainSupportedEncTypes
Registry key |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC |
Value |
DefaultDomainSupportedEncTypes |
Data type |
REG_DWORD |
Data value |
0x27 (Default) |
Restart required? |
No |
Note If you must change the default Supported Encryption Type for an Active Directory user or computer, manually add, and configure the registry key to set the new Supported Encryption Type. This update does not automatically add the registry key.
Windows domain controllers use this value to determine the supported encryption types on accounts in Active Directory whose msds-SupportedEncryptionType value is either empty or not set. A computer that is running a supported version of the Windows operating system automatically sets the msds-SupportedEncryptionTypes for that machines account in Active Directory. This is based on the configured value of encryption types that the Kerberos protocol is allowed to use. For more information, see Network security: Configure encryption types allowed for Kerberos.
Users accounts, Group Managed Service accounts, and other accounts in Active Directory do not have the msds-SupportedEncryptionTypes value set automatically.
To find Supported Encryption Types you can manually set, please refer to Supported Encryption Types Bit Flags. For more information, see what you should do first to help prepare the environment and prevent Kerberos authentication issues.
The default value 0x27 (DES, RC4, AES Session Keys) was chosen as the minimum change necessary for this security update. We recommend customers set the value to 0x3C for increased security as this value will allow for both AES-encrypted tickets and AES session keys. If customers have followed our guidance to move to an AES-only environment where RC4 is not used for the Kerberos protocol, we recommend that customers set the value to 0x38. See Change 1.
Windows events related to CVE-2022-37966
The Kerberos Key Distribution Center lacks strong keys for account
Event Log |
System |
Event Type |
Error |
Event Source |
Kdcsvc |
Event ID |
42 |
Event Text |
The Kerberos Key Distribution Center lacks strong keys for account: accountname. You must update the password of this account to prevent use of insecure cryptography. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more. |
If you find this error, you likely must reset your krbtgt password before setting KrbtgtFullPacSingature = 3, or installing Windows Updates released on or after July 11, 2023. The update that programmatically enables enforcement mode for CVE-2022-37967 is documented in the following article in the Microsoft Knowledge Base:
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
For more information about how to do this, see the New-KrbtgtKeys.ps1 topic on the GitHub website.
Frequently Asked Questions (FAQ) and Known Issues
Accounts that are flagged for explicit RC4 usage are vulnerable. In addition, environments that do not have AES session keys within the krbgt account may be vulnerable. To mitigate this issue, follow the guidance on how to identify vulnerabilities and use the Registry Key setting section to update explicitly set encryption defaults.
You will need to verify that all your devices have a common Kerberos Encryption type. For more information about Kerberos Encryption types, see Decrypting the Selection of Supported Kerberos Encryption Types.
Environments without a common Kerberos Encryption type might have previously been functional due to automatically adding RC4 or by the addition of AES, if RC4 was disabled through group policy by domain controllers. This behavior has changed with the updates released on or after November 8, 2022 and will now strictly follow what is set in the registry keys, msds-SupportedEncryptionTypes and DefaultDomainSupportedEncTypes.
If the account does not have msds-SupportedEncryptionTypes set, or it is set to 0, domain controllers assume a default value of 0x27 (39) or the domain controller will use the setting in the registry key DefaultDomainSupportedEncTypes.
If the account does have msds-SupportedEncryptionTypes set, this setting is honored and might expose a failure to have configured a common Kerberos Encryption type masked by the previous behavior of automatically adding RC4 or AES, which is no longer the behavior after installation of updates released on or after November 8, 2022.
For information about how to verify you have a common Kerberos Encryption type, see question How can I verify that all my devices have a common Kerberos Encryption type?
See the previous question for more information why your devices might not have a common Kerberos Encryption type after installing updates released on or after November 8, 2022.
If you have already installed updates released on or after November 8, 2022, you can detect devices which do not have a common Kerberos Encryption type by looking in the Event Log for Microsoft-Windows-Kerberos-Key-Distribution-Center Event 27, which identifies disjoint encryption types between Kerberos clients and remote servers or services.
Installation of updates released on or after November 8, 2022 on clients or non-Domain Controller role servers should not affect Kerberos authentication in your environment.
To mitigate this known issue, open a Command Prompt window as an Administrator and temporarily use the following command to set the registry key KrbtgtFullPacSignature to 0:
-
reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD
Note Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. We recommend that Enforcement mode is enabled as soon as your environment is ready.
Next steps We are working on a resolution and will provide an update in an upcoming release.
After installing updates released on or after November 8, 2022 on your domain controllers, all devices must support AES ticket signing as required to be compliant with the security hardening required for CVE-2022-37967.
Next Steps If you are already running the most up-to-date software and firmware for your non-Windows devices and have verified that there is a common Encryption type available between your Windows domain controllers and your non-Windows devices, you will need to contact your device manufacturer (OEM) for help or replace the devices with ones that are compliant.
IMPORTANT We do not recommend using any workaround to allow non-compliant devices to authenticate, as this might make your environment vulnerable.
Unsupported versions of Windows includes Windows XP, Windows Server 2003, Windows Server 2008 SP2, and Windows Server 2008 R2 SP1 cannot be accessed by updated Windows devices unless you have an ESU license. If you have an ESU license, you will need to install updates released on or after November 8, 2022 and verify your configuration has a common Encryption type available between all devices.
Next Steps Install updates, if they are available for your version of Windows and you have the applicable ESU license. If updates are not available, you will need to upgrade to a supported version of Windows or move any application or service to a compliant device.
IMPORTANT We do not recommend using any workaround to allow non-compliant devices to authenticate, as this might make your environment vulnerable.
This known issue was resolved in out-of-band updates released November 17, 2022 and November 18, 2022 for installation on all domain controllers in your environment. You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.
To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.
Note The following updates are not available from Windows Update and will not install automatically.
Cumulative updates:
Note You do not need to apply any previous update before installing these cumulative updates. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.
Standalone Updates:
-
Windows Server 2012 R2: KB5021653
-
Windows Server 2012: KB5021652
-
Windows Server 2008 R2 SP1: KB5021651 (released November 18, 2022)
-
Windows Server 2008 SP2: KB5021657
Notes
-
If you use security-only updates for these versions of Windows Server, you only need to install these standalone updates for the month of November 2022. Security-only updates are not cumulative, and you will also need to install all previous security-only updates to be fully up to date. Monthly Rollup updates are cumulative and include security and all quality updates.
-
If you use Monthly Rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly Rollups released November 8, 2022, to receive the quality updates for November 2022. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.
If you have verified the configuration of your environment and you are still encountering issues with any non-Microsoft implementation of Kerberos, you will need updates or support from the developer or manufacturer of the app or device.
This known issue can be mitigated by doing one of the following:
-
Set msds-SupportedEncryptionTypes with bitwise or set it to the current default 0x27 to preserve its current value. For example:
-
Msds-SuportedEncryptionTypes -bor 0x27
-
-
Set msds-SupportEncryptionTypes to 0 to let domain controllers use the default value of 0x27.
Next steps We are working on a resolution and will provide an update in an upcoming release.
Glossary
Advanced Encryption Standard (AES) is a block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197].
Kerberos is a computer network authentication protocol which works based on “tickets” to allow for nodes communicating over a network to prove their identity to one another in a secure manner.
The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves. KDCs are integrated into the domain controller role. It is a network service that supplies tickets to clients for use in authenticating to services.
RC4-HMAC (RC4) is a variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.
A relatively short-lived symmetric key (a cryptographic key negotiated by the client and the server based on a shared secret). A session keys lifespan is bounded by the session to which it is associated. A session key has to be strong enough to withstand cryptanalysis for the lifespan of the session.
A special type of ticket that can be used to obtain other tickets. The Ticket-granting Ticket (TGT) is obtained after the initial authentication in the Authentication Service (AS) exchange; thereafter, users do not need to present their credentials, but can use the TGT to obtain subsequent tickets.