Impact of KrbTgtFullPAC Signature (CVE-2022-37967) patches

404_username_not_found

2/23/24, 2:36 PM

I am a bit concerned about the Windows November 2022 patches that introduced signing of the PAC-Field in Kerberostickets.

There is a RegKey(“KrbtgtFullPacSignature”) that, if set to auditmode, accept and log all unsigned tickets. Since January, we have enabled this key on all of our DCs, but nothing is logged on our DCs, even though we have some Server 2008 and Windows 7 systems, which should not be able to sign this field.
If I understand that timeline of Microsoft correctly (Source), those old unpatched Clients won’t be able to authenticate when the Enforcement-Mode is enabled on October 2023. However, I haven’t heard any worries about incompatible clients or systems within various IT-newspages. Am I the only one that is worried that our systems might be affected?
Manufacturers of devices like NAS don’t publish about this upcoming issue or release a firmware which implements tis new changes in the Kerberos protocol.

Am I worried too much about this? How do you deal with this topic?

409

0 + 0

windows

active-directory

kerberos

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Impact of KrbTgtFullPAC Signature (CVE-2022-37967) patches

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.