B5010265 adds AES encryption protections to the MS-LSAD protocol for CVE-2022-21913
Windows 11, all editions Windows 10 Windows 10, version 1909, all editions More...Summary
The January 11, 2022, Windows updates and later Windows updates add protections for CVE-2022-21913.After you install the January 11, 2022, Windows updates or later Windows updates, Advanced Encryption Standard (AES) encryption will be set as the preferred encryption method on Windows clients when you use the legacy Local Security Authority (Domain Policy) (MS-LSAD) protocol for trusted domain object password operations that are sent over a network. This is true only if AES encryption is supported by the server. If AES encryption is not supported by the server, the system will allow fallback to the legacy RC4 encryption.
Changes in CVE-2022-21913 are specific to the MS-LSAD protocol. They are independent of other protocols. MS-LSAD uses Server Message Block (SMB) over remote procedure call
(RPC) and named pipes. Although SMB also supports encryption, it is not enabled by default. By default, the changes in CVE-2022-21913 are enabled and provide additional security at the LSAD layer. No additional configuration changes are required beyond installing the protections for CVE-2022-21913 that are included in the January 11, 2022, Windows updates and later Windows updates on all supported versions of Windows. Unsupported versions of Windows should be discontinued or upgraded to a supported version.
Note CVE-2022-21913 modifies only how trust passwords are encrypted in-transit when you use specific APIs of the MS-LSAD protocol and specifically do not modify how passwords are stored at rest. For more information about how passwords are encrypted at rest in Active Directory and locally in the SAM Database (registry), see Passwords technical overview.
More information
Changes made by the January 11, 2022, updates
- Policy Object pattern
The updates modify Policy Object pattern of the protocol by adding a new Open Policy method that enables the client and server to share information about AES support.
For a complete list of MS-LSAR protocol opnums, see [MS-LSAD]: Message Processing Events and Sequencing Rules.Old method using RC4 New method using AES LsarOpenPolicy2 (Opnum 44) LsarOpenPolicy3 (Opnum 130) - Trusted Domain Object pattern
The updates modify Trusted Domain Object Create pattern of the protocol by adding a new method to create a trust that will use AES to encrypt authentication data.
The LsaCreateTrustedDomainEx API will now prefer the new method if the client and server are both updated and fall back to the older method otherwise.
The updates modify the Trusted Domain Object Set pattern of the protocol by adding two new Trusted Information Classes to the LsarSetInformationTrustedDomain (Opnum 27), LsarSetTrustedDomainInfoByName (Opnum 49) methods. You can set Trusted Domain Object information as follows.Old method using RC4 New method using AES LsarCreateTrustedDomainEx2 (Opnum 59) LsarCreateTrustedDomainEx3 (Opnum 129)
Old method using RC4 New method using AES LsarSetInformationTrustedDomain (Opnum 27) together with TrustedDomainAuthInformationInternal or TrustedDomainFullInformationInternal (holds an encrypted trust password that uses RC4) LsarSetInformationTrustedDomain (Opnum 27) together with TrustedDomainAuthInformationInternalAes or TrustedDomainFullInformationAes (holds an encrypted trust password that uses AES) LsarSetTrustedDomainInfoByName (Opnum 49) together with TrustedDomainAuthInformationInternal or TrustedDomainFullInformationInternal (holds an encrypted trust password that uses RC4 and all other attributes) LsarSetTrustedDomainInfoByName (Opnum 49) together with TrustedDomainAuthInformationInternalAes or TrustedDomainFullInformationInternalAes (holds an encrypted trust password that uses AES and all other attributes)
How the new behavior works
The existing LsarOpenPolicy2 method is typically used to open a context handle to the RPC server. This is the first function that must be called to contact the Local Security Authority (Domain Policy) Remote Protocol database. After you install these updates, the LsarOpenPolicy2 method is superseded by the new LsarOpenPolicy3 method.An updated client that calls the LsaOpenPolicy API will now call the LsarOpenPolicy3 method first. If the server is not updated and does not implement the LsarOpenPolicy3 method, the client falls back to the LsarOpenPolicy2 method, and it uses the previous methods that uses RC4 encryption.
An updated server will return a new bit in the LsarOpenPolicy3 method response, as defined in LSAPR_REVISION_INFO_V1. For more information, see the "AES Cipher Usage" and "LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES" sections in MS-LSAD.
If the server supports AES, the client will use the new methods and new information classes for subsequent trusted domain "create" and "set" operations. If the server does not return this flag, or if the client is not updated, the client will fall back to using the previous methods that use RC4 encryption.
Event logging
The January 11, 2022, updates add a new event to the security event log to help identify devices that are not updated, and to help improve security.| Value | Meaning |
|---|---|
| Event source | Microsoft-Windows-Security |
| Event ID | 6425 |
| Level | Information |
| Event message text | A network client used a legacy RPC method to modify authentication information on a trusted domain object. The authentication information was encrypted with a legacy encryption algorithm. Consider upgrading the client operating system or application to use the latest and more secure version of this method. Trusted Domain:
RPC Method Name: For more information, go to https://go.microsoft.com/fwlink/?linkid=2161080. |
Continue reading...
Last edited by a moderator:
