CISA: Immediate patching of Windows LSA spoofing flaw urged

ZDNet reports that the federal agencies and other entities have been urged by the Cybersecurity and Infrastructure Security Agency to remediate a Windows Local Security Authority spoofing vulnerability, tracked as CVE-2022-26925, by July 22 after it had been temporarily removed from the agency's Known Exploited Vulnerabilities catalog due to login issues resulting from the original update issued by Microsoft. Such login problems could be averted by setting up two registry keys on domain controllers, according to CISA, which added that the CVE-2022-26925 patch also addresses an Active Directory service privilege escalation vulnerability, tracked as CVE-2022-26923, and a Windows Kerberos privilege escalation bug, tracked as CVE-2022-26931. With the update pushing 'Full Enforcement' mode by next May, agencies were not advised to transition to strong certificate-user mapping that may cause issues with the Federal PKI ecosystem. "CISA and the interagency working group are in active discussions with Microsoft for an improved path forward. At this time, CISA does not recommend agencies pursue migration to a strong mapping," the agency said.