Skip to main content
NetApp Knowledgebase

Microsoft Security Advisory: CVE-2020-1472 impact on NetApp appliance running CIFS\NFS utilizing Netlogon servers

Views:
14,670
Visibility:
Public
Votes:
1
Category:
not set
Specialty:
not set
Last Updated:

Applies to

  • Data ONTAP 7
  • Data ONTAP 8 7-mode
  • Clustered Data ONTAP 8
  • ONTAP 9

Answer

What impact will CVE-2020-1472 have on ONTAP?

 

 

  • Once Microsoft has enabled enforcement of  FullSecureChannelProtection below are the expected impact on ONTAP for NTLM Authentication:
    • ONTAP (aka: Clustered DATA Ontap, CDOT)
      • ONTAP supports Netlogon Secure Channel and no changes are required for ONTAP after enforcement phase

 

  • Data ONTAP 7-mode
    • 7-mode supports Netlogon Secure Channel on fixed releases (8.2.5P4+ 7-mode)
    • Any CIFS\SMB client authentication that utilizes NTLM authentication will most like be impacted

 

  • For more information, please contact Netapp Technical Support.

Frequently Asked Questions

Q: Are there any limitations with ONTAP in regards to what cyphers are supported?
Q: Are there any changes required with ONTAP once FullSecureChannelProtection is enforced?
  • none
Q: for 7-mode, what workaround is available once FullSecureChannelProtection is enforced?
  • Upgrade to a fix is available for 1343982: Support Netlogon Secure Channel in 7-mode for CVE-2020-1472 , 8.2.5P4+
  • After upgrade, a new option is available (default off). Enable this option
    • options cifs.netlogon.secure_channel.enable on
  • switching between modes (enabled/disabled) requires that a 'cifs resetdc' command be run to disconnect any current connections to DCs and reconnect to a DC in the new mode.
  • NOTE: after upgrade, regardless of setting for cifs.smb2.client.enable, secure netlogon communications will utilize SMB2 for DC communications 

-or-

Q: Where can I find more information on what is NTLM Authentication?
Q: How can I see which CIFS/SMB connections are using NTLM or Kerberos?
  • ONTAP you can run this command to tell what authentication mechanism clients used in currently logged on sessions:
    ::>vserver cifs session show -fields auth-mechanism
Q: On 7mode, when FullSecureChannelProtection is enabled, why do we see Filer's security information differs from domain controller errors?
  • On 7mode systems, when an NTLM authentication is denied as a result of  FullSecureChannelProtection set to 1 we will also record this error:
    [fas02:auth.dc.trace.DCConnection.errorMsg:error]: AUTH: Domain Controller error: NetLogon error 0xc0000022: - Filer's security information differs from domain controller \\DC1.
  • The Access Denied from the  NetrLogonSamLogon call rejected by the DC is resulting in this error
  • This error can be misleading and could throw off troubleshooting for this type issue. But the filer is not out of sync in the scenario above.
  • To confirm the case above, this will be accompanied by an EventID 5827 on DC:
    "The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account." for the 7mode cifs server computer account.

 

 

 

 

Additional Information

additionalInformation_text