CVE-2022-21913 in Windowsinfo

Summary

by MITRE • 01/12/2022

Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/02/2025

The vulnerability identified as CVE-2022-21913 represents a critical security flaw within the Local Security Authority (LSA) subsystem of Microsoft Windows operating systems, specifically affecting the Domain Policy Remote Protocol implementation. This issue resides in the Windows LSA service that manages local security policies and authentication processes, making it a prime target for attackers seeking to escalate privileges or bypass critical security controls. The vulnerability manifests as a security feature bypass that allows unauthorized access to domain policy configurations through remote protocol mechanisms, undermining the fundamental security boundaries that protect domain-joined systems from malicious interference.

The technical exploitation of this vulnerability occurs through the manipulation of the LSA Domain Policy Remote Protocol interface, which is designed to handle policy updates and synchronization across domain-joined machines. Attackers can leverage this flaw to bypass authentication requirements and access restricted policy settings that should only be available to domain administrators or privileged security entities. The vulnerability stems from improper validation of remote protocol calls within the LSA subsystem, allowing malicious actors to craft specially crafted requests that circumvent the normal access control mechanisms. This flaw operates at a low system level within the Windows security architecture, making it particularly dangerous as it can be exploited before traditional security layers are engaged.

The operational impact of CVE-2022-21913 extends beyond simple privilege escalation, as it enables attackers to modify critical domain policies that govern user access, authentication methods, and security configurations across entire network domains. Successful exploitation can result in persistent access to network resources, enabling attackers to establish backdoors, modify user permissions, or disable security features that protect against further compromise. The vulnerability affects Windows Server 2016, Windows Server 2019, and Windows Server 2022 systems, with the attack surface expanding to include any domain-joined systems that rely on the LSA for policy enforcement. From an adversary perspective, this vulnerability aligns with attack techniques documented in the MITRE ATT&CK framework under privilege escalation and defense evasion tactics, specifically targeting the LSA service as a critical system component for maintaining security boundaries.

Mitigation strategies for this vulnerability require immediate implementation of Microsoft security patches and updates, as the flaw represents an unauthenticated remote code execution vector that can be exploited without prior access credentials. Network administrators should implement strict firewall rules to limit communication on the LSA Domain Policy Remote Protocol ports, while also monitoring for unusual authentication patterns or policy modification activities that might indicate exploitation attempts. The vulnerability demonstrates the importance of securing core Windows security services and aligns with CWE-284, which addresses improper access control in software systems. Organizations should also conduct thorough security assessments of their domain infrastructure to identify systems that may be vulnerable to this type of attack, particularly focusing on systems that maintain elevated privileges or handle sensitive policy configurations. Regular security monitoring and incident response procedures must be enhanced to detect potential exploitation attempts, as the vulnerability could be leveraged to establish persistent access to critical domain resources.

Responsible

Microsoft

Reservation

12/14/2021

Disclosure

01/12/2022

Moderation

accepted

CPE

ready

EPSS

0.02984

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!