Skip to main content
NetApp Knowledge Base

Microsoft Security Advisory CVE-2020-1472 impact on NetApp appliance running CIFS or NFS utilizing Netlogon servers

Views:
38,078
Visibility:
Public
Votes:
8
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • Data ONTAP 7-Mode
  • Clustered Data ONTAP 8
  • ONTAP 9

Answer

Impact of Microsoft CVE-2020-1472 on ONTAP and Data ONTAP 7-Mode
ONTAP (including Clustered Data ONTAP 8)

ONTAP – also known as Clustered DATA ONTAP, CDOT – supports Netlogon Secure Channel and no changes are required for ONTAP after enforcement phase

Data ONTAP 7-Mode
Failing to deploy workarounds stated below can impact any CIFS\SMB client authentication that utilizes NTLM authentication.
Frequently asked questions
Are there limitations with ONTAP on what cyphers are supported?
Are there changes required with ONTAP once FullSecureChannelProtection is enforced?

No

What workaround is available for 7-Mode once FullSecureChannelProtection is enforced?

Workaround 1

After upgrade, regardless of the setting for cifs.smb2.client.enable, secure netlogon communications will utilize SMB2 for DC communications 
  1. Upgrade to a fix is available for 1343982: Support Netlogon Secure Channel in 7-mode for CVE-2020-1472 , 8.2.5P5+
  2. After upgrade, a new option is available (default off). Enable this option:

options cifs.netlogon.secure_channel.enable on

This option is vfiler scoped - It must be enabled on all vfilers involved in domain authentication

vfiler run <vfiler> options cifs.netlogon.secure_channel.enable on

  1. Switching between modes (enabled/disabled) requires that a cifs resetdc command (if using vfilers, run vfiler run <vfiler> cifs resetdc) be run to disconnect any current connections to DCs and reconnect to a DC in the new mode.
If you are not able to perform the above action, follow workaround 2

Workaround 2

Add the 7-Mode cifs server computer account to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy as described in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

Where can I find more information on NTLM Authentication?

See How ONTAP handles SMB client authentication

How to determine if CIFS/SMB connections are using  NTLM or Kerberos?
  • ONTAP: Run this command to tell what authentication mechanism clients is used in currently logged on sessions:
    ::>vserver cifs session show -fields auth-mechanism

For more information, view main page: vserver cifs session show

  • 7-Mode: There is no equivalent command available. A packet capture is the only available method to discern client authentication mechanism.

For more information, see How to collect a network trace with pktt in Data ONTAP 7-Mode

On 7-Mode, when FullSecureChannelProtection is enabled, why do I see the filer's security information differs from domain controller errors?
  • On 7-Mode systems, when NTLM authentication is denied as a result of  FullSecureChannelProtection set to 1, this error is seen:
    [fas02:auth.dc.trace.DCConnection.errorMsg:error]: AUTH: Domain Controller error: NetLogon error 0xc0000022: - Filer's security information differs from domain controller \\DC1.
  • The Access Denied from the  NetrLogonSamLogon call rejected by the DC is resulting in this error
  • This error can be misleading and could throw off troubleshooting for this type issue; but the filer is not out of sync in the scenario.
  • To confirm the above case, this will be accompanied by an EventID 5827 on DC:
    The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account. for the 7-Mode cifs server computer account.