Microsoft issues out-of-band patch for domain controllers

Share post:

Microsoft has released an out-of-band patch for an issue on Windows-based domain controllers which might cause sign-in failures or other Kerberos authentication issues.

Released last month, the patch deals with CVE-2022-37966, an escalation of privilege vulnerability because of a weak Kerberos RC4-HMAC negotiation.

The update — which supersedes an update issued November 8th in the regular Patch Tuesday fixes — will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already.

The out-of-band update applies to all versions of Windows Server from 2008 to 2022.

Microsoft rates the complexity of the vulnerability as high. “A successful attack depends on conditions beyond the attacker’s control,” it says in an explanatory note. “That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).”

Administrators don’t need to install any updates or make any changes to servers other than domain controllers, or to client devices in their environment, to resolve this issue.

The post Microsoft issues out-of-band patch for domain controllers first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways