Microsoft drops emergency patch after Patch Tuesday screw up

Microsoft has issued an out-of-band patch fixing an issue that caused server or client authentication failures on domain controllers after installing the 10 May 2022 Patch Tuesday updates.

The Patch Tuesday issue was identified by users shortly after the monthly update was issued, and affected services including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP).

The problem related to how the domain controller handled the mapping of certificates to machine accounts. Note that it only affected servers used as domain controllers, not client Windows devices or Windows Servers that are not used as domain controllers.

“This issue was resolved in out-of-band updates released May 19, 2022 for installation on Domain Controllers in your environment. There is no action needed on the client side to resolve this authentication issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them,” said Microsoft in an update.

The updates are not, however, available from Windows Update and will not be automatically installed, so affected users should consult the Microsoft Update Catalogue, and can then manually import the updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.

According to Microsoft, the initial updates that caused authentication to break were supposed to have addressed a pair of disclosed vulnerabilities, CVE-2022-26931 and CVE-2022-26923 respectively, a pair of privilege escalation vulnerabilities.

The first of these, in Windows Kerberos, was credited to Andrew Bartlett of Catalyst and Samba Team, while the second, more serious vulnerability, is in Active Directory Domain Services and was credited to Oliver Lyak of the Institut for Cyber Risk.

This is the second time in recent months that Microsoft has had to issue out-of-band fixes for authentication issues relating to domain controllers.

Last November, just a week after the scheduled Patch Tuesday release, it fixed a problem in how Windows Server handled Kerberos authentication tokens; after a bug in an extension was found to cause Kerberos tickets to improperly authenticate.

This in turn caused vulnerable instances of Windows Server 2008, 2012, 2016 and 2019 that were being used as domain controllers to fail to authenticate users that were relying on single sign-on tokens, along with some Active Directory and SQL Server services.

It is not remarkably uncommon for Microsoft to have to act outside of its patch schedule, although it can often be read as an indication that a Patch Tuesday release has had unforeseen consequences, that the issue is extremely serious, or that something outside of Microsoft’s control has gone comically wrong.

Last summer, the PrintNightmare remote code execution (RCE) vulnerability in Windows Print Spooler provided an excellent example of the latter scenario, after an exploit disclosure made in error that was assumed to be for a previously-patched vulnerability turned out to be an exploit disclosure for an undiscovered zero-day, CVE-2021-34527.

In the resulting chaos, Microsoft’s out-of-band patch itself had to be patched again after it emerged that while it addressed the RCE component of PrintNightmare, it did not protect against local privilege escalation (LPE).