14 DAY TRIAL // Microsoft rolled out hardening changes specifically aimed at the Windows Key Distribution Center information disclosure vulnerability, and if you’ve installed the latest updates, you received them already.
Microsoft explains that the new hardening changes, which are specifically aimed at the vulnerability documented in CVE-2021-33764, could generate some smart card authentication glitches on Windows devices.
“With these changes, smart card (PIV) authentication might cause print and scan failures when you install updates released on July 13, 2021, or later versions on a domain controller (DC). The affected devices are smart card authenticating printers, scanners, and multifunction devices that don’t support either Diffie-Hellman (DH) for key exchange during PKINIT Kerberos authentication or don’t advertise support for des-ede3-cbc ("triple DES”) during the Kerberos AS request,” the company explained.
Microsoft explains that a temporary mitigation has already been shipped, but the new July update will make important changes to require compliant printing and scanning devices only.
“A temporary mitigation, released in Windows Updates between July 29, 2021, and July 12, 2022, was made available for organizations that encountered this issue and couldn't bring devices into compliance as required for CVE-2021-33764. However, starting in July 2022, this temporary mitigation will not be usable in security updates. The Windows July 2022 preview update will remove the temporary mitigation and will require compliant printing and scanning devices,” Microsoft explains.
In a tech support document, Microsoft explains that users who are experiencing issues with printing and scanning devices should just make sure they are running the latest updates for their devices.
These include the most recent firmware and drivers, with the company explaining that users are recommended to reach out to the manufacturer to figure out if a configuration change is required or not.
“If your firmware and drivers are up-to-date and you still encounter this issue, we recommend that you contact the device manufacturer. Ask whether a configuration change is required to bring the device into compliance with the hardening change for CVE-2021-33764 or if a compliant update will be made available,” it says.