Windows LSA Spoofing Vulnerability

How could an attacker exploit this vulnerability?

An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface.

Is there more information available on how to protect my system?

Yes. Please see ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

Are there further actions I need to take to protect my system after I have applied the security update?

Yes. Please see KB5005413 for more information on the steps that you need to take to protect your system. Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

Should I prioritize updating domain controllers when I apply the security updates released on August 10, 2021?

Yes. This vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates.

How will installing the updates that address this CVE impact my environment?

The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows (local and remote), except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2.

Note: If you are unable to use backup software on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 and later, after installing the updates that address this CVE, contact the manufacturer of your backup software for updates and support.