Windows 10: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

In the article titled "KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967" there is a lot of talk about the registry value KrbtgtFullPacSignature However, there is no mention of whether this value needs to be manually created, or if it is supposed to have been automatically created in due course with the install of the appropriate Windows Updates.Each of our Server 2016 Domain Controllers have seemingly never had the KrbtgtFullPacSignature registry value created and I'm starting to wonder why?Each server has had its OS updates apply including the most recent

:)

 

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

Hi, There is an enforcement due on the 11th July from Microsoft due to a security vulnerability, Please see under article:

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 - Microsoft Support

The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.

To help secure your environment, install this Windows update to all devices, including Windows domain controllers. All domain controllers in your domain must be updated first before switching the update to Enforced mode.

To learn more about this vulnerabilities, see CVE-2022-37967.

Just a quick question, does it mean that any servers running 2003OS or 2008OS in an esatate would no longer work?

The article doesnt appear to have been updated for a while.

Thanks

 

CVE-2022-30190 workaround for Windows 7

The guidance for CVE-2022-30190 mentions deleting the MSDT URL Protocol as a workaround for this vulnerability.

/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

However, the FAQ says "The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required."

Does this mean there is no workaround for Windows 7 and the only solution is to install the July 2022 security update?

 

CVE-2022-30190 workaround for Windows 7

This is a consumer-oriented peer-to-peer support forum. Support issues that may arise under Microsoft's Extended Security Updates (ESU) program are beyond the scope of this forum.

Did you purchase ESU for 2022? If not, you do not have access to the July 2022 security update.

If you did purchase ESU for 2022, see FAQ about Extended Security Updates (Ety= regarding technical support.

As I understand the Guidance for CVE-2022-30190:

• A remote code execution vulnerability exists when MSDT is called using the URL protocol
  
• The MSDT URL protocol is not available in versions of Windows earlier than Windows Server 2019 & Windows 10 version 1809, i.e., the MSDT URL protocol isn't available in Windows 7.
  

Thus, the vulnerability does not appear (to me) to exist in Windows 7. For a more definitive answer see the link above.