There is an out of band patch scheduled for before end of this week. You will have to install the faulty one before you can apply the fix, so plan for a double reboot.

#KB5021131 #Kerberos #RC4Disaster #AES

Source:
https://nitter.it/SteveSyfuhs/status/1593270862853320704#m

I deleted my last post on the updated guidelines for #KB5021131 CVE-2022-37966

The workaround mentioned in the article at the time was not meant as a workaround as SteveSyfuhs clarified.

https://nitter.it/SteveSyfuhs/status/1592921480958181376

It was therefore removed from the updated version of the article

https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d#knownissues5021131

Updated guidelines for #KB5021131
How to manage the Kerberos protocol changes related to CVE-2022-37966

ApplyDefaultDomainPolicy is the official workaround.

#Kerberos #RC4 #AES

https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d#knownissues5021131

Why does #KB5021131 set the default encryption type for session keys also to DES-CBC-CRC + DES-CBC-MD5? Shouldn't this value be set to 24 to only allow AES128 + AES256?

#Kerberos #PatchTuesday