Risk Assessments/Management, Breach, Vulnerability Management

Windows LSA spoofing flaw addressed

Microsoft has issued a fix for a Windows Local Security Authority spoofing zero-day vulnerability, which could be abused to force domain controller authentication through the Windows NT LAN Manager protocol, BleepingComputer reports. Threat actors have already been actively exploiting the flaw, tracked as CVE-2022-26925, and may be a new PetitPotam NTLM relay attack vector. While the vulnerability could only be abused in highly complex man-in-the-middle attacks, it can be leveraged for legitimate authentication request interception and privilege escalation to completely compromise domains. "An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it. [..] This vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates," said Microsoft, which added that the flaw affects all versions of Windows beginning from Windows 7 and Windows Server 2008.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.