Microsoft updates third-phase Windows DC hardening roadmap for Kerberos security flaw

Back in November, on the second Tuesday of the month, Microsoft released its Patch Tuesday update. The one for servers (KB5019081) addressed a Windows Kerberos elevation of privilege vulnerability that allowed threat actors to alter Privilege Attribute Certificate (PAC) signatures (tracked under ID “CVE-2022-37967“). Microsoft recommended deploying the update to all Windows devices including domain controllers.

In order to help with the deployment, Microsoft published guidance. The firm summarized the meat of the matter as follows:

The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.

To help secure your environment, install this Windows update to all devices, including Windows domain controllers.

At the end of last month, the company issued a reminder regarding the third deployment phase. While it was supposed to be out with this month’s Patch Tuesday, Microsoft has now pushed it back by a couple of months to June. The update on the Windows Health dashboard message center says:

The June Patch Tuesday will make the following hardening change to Kerberos protocol:

The Windows updates released on or after June 13, 2023 will do the following:

• Remove the ability to disable PAC signature addition by setting the  KrbtgtFullPacSignature subkey to a value of 0.

You may find additional details on the support article here (KB5020805).

---

---