The Cybersecurity and Infrastructure Security Agency (CISA) has set a deadline of July 22 for Federal civilian agencies to apply Microsoft’s June 2022 Patch Tuesday update.
CISA said the update will address multiple vulnerabilities in Microsoft software and prevent an adversary from exploiting vulnerabilities to take control of an affected system. The update includes remediations for CVE-2022-26923 and CVE-2022-26931, which changed the way certificates are mapped to accounts in Active Directory.
“These changes break certificate authentication for many Federal agencies, due to the way Personal Identity Verification (PIV)/Common Access Card (CAC) certificates are created and used,” CISA said. “Active Directory now looks for the account’s security identifier (SID) in the certificate or for a strong mapping between the certificate and account. This guidance provides information on how the required patches can be applied without breaking certificate authentication.”
Per CISA’s Binding Operational Directive 22-01 and CISA’s Catalog of Known Exploited Vulnerabilities, agencies must apply the June 2022 updates to all Windows endpoints.
CISA warned that when applied to Microsoft Windows Servers with the domain controller role, the update will break PIV/CAC authentication. Therefore, CISA emphasized agencies must follow the detailed guidance “to prevent service outages.”
“Microsoft plans to remove ‘Compatibility Mode’ and move all Windows Server devices to ‘Full Enforcement’ mode in May 2023. This change will break authentication if agencies have not created a strong mapping or added SIDs to certificates,” the agency added. “CISA and the interagency working group are in active discussions with Microsoft for an improved path forward.”
CISA said it is “actively working with Microsoft on a long-term solution” for after May 2023, but does not currently recommend agencies “pursue migration to a strong mapping.”
