Microsoft has updated the third-stage Windows DC hardening roadmap for the Kerberos security flaw.


Windows logo against red circular shapes and dark background

Back in November, on the second Tuesday of the month, Microsoft released its Patch Tuesday update. one for servers (KB5019081) addressed a Windows Kerberos elevation of privilege vulnerability that allowed threat actors to alter Privilege Attribute Certificate (PAC) signatures (tracked under ID “CVE-2022-37967Microsoft recommends deploying the update to all Windows devices, including domain controllers.

To help with deployment, Microsoft published guidance. The firm summarized the meat of the matter as follows:

The November 8, 2022 Windows Updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses vulnerabilities in Kerberos where an attacker could digitally alter PAC signatures, escalating their privileges.

To help secure your environment, install this Windows update on all devices, including Windows domain controllers.

Late last month, the company issued a reminder regarding the third phase of the deployment. While it was supposed to end with this month’s Patch Tuesday, Microsoft has now pushed it back a few months to June. Update on the Windows Health Dashboard Message Center Says that:

Security hardening changes to domain controllers in the IT environment to address CVE-2022-37967 will enter the third phase of deployment, as described in KB5020805: Kerberos Protocol Changes Related to CVE-2022-37967 How to Manage listed this change as happening in April, however, that date has changed.

June’s Patch Tuesday will bring the following drastic changes to the Kerberos protocol:

Windows updates released on or after June 13, 2023 will do the following:

  • Remove the ability to disable PAC signature addition by settingKrbtgtFullPacSignature Subkey for a value of 0.

You can find additional details on the support article here (KB5020805).


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *