CVE-2022-21913 Overview
CVE-2022-21913 is a security feature bypass vulnerability affecting the Local Security Authority (Domain Policy) Remote Protocol (LSAD/LSARPC) in Microsoft Windows. This vulnerability allows remote attackers to potentially intercept and decrypt sensitive domain policy information transmitted between Windows clients and domain controllers due to weak encryption enforcement in the LSAD protocol.
The Local Security Authority Remote Protocol is used to manage security policy information on domain-joined systems, including password policies, trust relationships, and account information. When exploited, this vulnerability enables attackers on the network to downgrade the encryption used in LSAD communications, potentially exposing sensitive security policy data.
Critical Impact
Remote unauthenticated attackers can exploit weak encryption in the LSAD protocol to intercept and decrypt sensitive domain security policy information, potentially compromising Active Directory security configurations.
Affected Products
- Microsoft Windows 10 (all versions including 1607, 1809, 1909, 20H2, 21H1, 21H2)
- Microsoft Windows 11
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022 and 20H2
Discovery Timeline
- January 11, 2022 - CVE-2022-21913 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-21913
Vulnerability Analysis
This security feature bypass affects the encryption mechanisms used by the Local Security Authority (Domain Policy) Remote Protocol. The LSAD protocol, implemented through the lsarpc RPC interface, is responsible for managing domain security policies including password policies, trust relationships, and security configuration data.
The vulnerability stems from the protocol's acceptance of weak encryption algorithms during communication negotiation. When a client connects to a domain controller via LSARPC, the protocol may allow the use of deprecated or weak cryptographic ciphers instead of enforcing modern encryption standards. This creates an opportunity for attackers positioned on the network to intercept these communications.
The attack requires network access but does not require authentication or user interaction, making it particularly concerning in enterprise environments where LSAD traffic traverses network segments that may be accessible to attackers.
Root Cause
The root cause of CVE-2022-21913 lies in the insufficient enforcement of strong encryption algorithms in the LSAD protocol implementation. The protocol's negotiation mechanism permits fallback to weaker encryption methods, violating the security principle of encryption downgrade prevention.
Specifically, the Windows implementation of lsasrv.dll and related components did not adequately validate or enforce the use of AES encryption for LSAD communications. This allowed clients and servers to negotiate weaker cipher suites, enabling potential cryptographic attacks against the transmitted data.
Attack Vector
The attack vector for this vulnerability is network-based. An attacker with network access between Windows clients and domain controllers can exploit this vulnerability through the following mechanism:
Network Positioning: The attacker positions themselves on a network segment where LSAD/LSARPC traffic is accessible, typically through ARP spoofing, DNS hijacking, or by compromising a network device.
Protocol Interception: The attacker intercepts RPC communications on the LSARPC interface (typically using named pipe \PIPE\lsarpc or direct TCP connections).
Encryption Downgrade: By manipulating the encryption negotiation process, the attacker forces the use of weaker cryptographic algorithms.
Data Decryption: With weakened encryption in place, the attacker can decrypt intercepted LSAD traffic to access sensitive domain policy information including password policies, trust configurations, and security settings.
This attack does not require any privileges on the target systems and can be executed without user interaction, making it particularly dangerous in environments where network segmentation is insufficient.
Detection Methods for CVE-2022-21913
Indicators of Compromise
- Unusual network traffic patterns on RPC ports (TCP 135, 139, 445) involving LSARPC communications
- Unexpected encryption algorithm negotiation in LSAD protocol sessions showing weak cipher usage
- Network traffic analysis showing unencrypted or weakly encrypted LSAD data transfers
- Anomalous authentication patterns from systems making frequent LSAD queries
Detection Strategies
- Monitor Windows Security Event logs for Event ID 4624 (logon events) and Event ID 4625 (failed logon attempts) correlating with LSARPC activity
- Implement network traffic inspection to detect RPC traffic using weak or deprecated encryption algorithms
- Deploy endpoint detection solutions to identify suspicious lsass.exe network communications
- Use packet capture analysis to identify LSARPC sessions not using AES-256 encryption
Monitoring Recommendations
- Enable advanced audit policies for "Audit Directory Service Access" and "Audit Logon Events"
- Configure network monitoring to alert on unexpected LSARPC traffic patterns between non-standard endpoints
- Implement SentinelOne Singularity XDR to detect and alert on suspicious LSA-related network activity and protocol anomalies
- Review domain controller logs for unusual policy query patterns that may indicate reconnaissance activity
How to Mitigate CVE-2022-21913
Immediate Actions Required
- Apply the January 2022 security updates from Microsoft to all affected Windows systems immediately
- Prioritize patching domain controllers and systems that handle sensitive domain policy operations
- Review and restrict network access to RPC services where possible using Windows Firewall rules
- Enable network-level protection through IPSec policies to enforce encrypted communications
Patch Information
Microsoft addressed this vulnerability in the January 2022 Patch Tuesday security updates. The patches enforce the use of AES encryption for LSAD protocol communications, preventing encryption downgrade attacks. Organizations should apply the appropriate update for their Windows version:
- Obtain patches from Microsoft Security Update Guide for CVE-2022-21913
- Review the Microsoft Security Advisory for additional guidance
After applying the security update, administrators should configure registry settings to enforce AES encryption for the LSAD protocol as detailed in Microsoft's guidance.
Workarounds
- Implement network segmentation to restrict access to domain controller RPC services from untrusted network segments
- Enable IPSec policies between domain-joined clients and domain controllers to add an additional encryption layer
- Configure Windows Firewall to restrict RPC traffic to known, trusted IP addresses
- Consider implementing network monitoring and anomaly detection to identify potential exploitation attempts until patches can be applied
# Registry configuration to enforce AES encryption for LSAD (post-patch)
# Run on domain controllers after applying security update
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaLookupCacheMaxSize" /t REG_DWORD /d 0 /f
# Enable audit logging for LSA operations
auditpol /set /subcategory:"Audit Directory Service Access" /success:enable /failure:enable
# Verify patch installation status
wmic qfe list | findstr /i "KB5009543 KB5009555 KB5009557 KB5009624"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
