Skip to main content
NetApp Knowledge Base

Does CVE-2022-38023 have any impact to Data ONTAP 7-Mode

Views:
12,233
Visibility:
Public
Votes:
12
Category:
data-ontap-8
Specialty:
7dot
Last Updated:

Applies to

  • Data ONTAP 7-Mode
  • CVE-2022-38023

Answer

Yes, when the filer(vfiler) attempts to pass NTLM authentication over NETLOGON, the domain controller once Enforcement Phase is set, will return Access Denied

What workarounds are available?

7-mode Version GPO cifs.netlogon.secure_channel.enable
8.2.5P3 and older versions add 7-mode computer object to GPO option not available, Netlogon is not utlizing secure channel
8.2.5P4 and 8.2.5P5 add 7-mode computer object to GPO "options cifs.netlogon.secure_channel.enable off"
  • Add 7-mode computer object to GPO: "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).
  • NOTE: For ONTAP 7-mode there is no patch planned to implement this new feature as 7-mode is under limited support.
  • NOTE: For ONTAP 7-mode 8.2.5P4 or 8.2.5P5 versions, to utilize GPO workaround, you must run "options cifs.netlogon.secure_channel.enable off "
  • By disabling the option above, you are reverting 7-mode to use nonsecure vulnerable Netlogon connections. This is the only method NetApp has seen that works with the formerly published GPO workaround "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO)" .
  • NOTE: As of April 20, 2023 Microsoft KB5021130 NO LONGER references the GPO as a workaround to Enforcement. As of April 11, 2023 patches, this workaround was still valid for 7-mode, however, we cannot guarantee it's validity with any other future publicly available hotfixes.
 

How ONTAP 7-mode will be impacted by CVE-2022-38023 once "RequireSeal:2" enforcement is set (if workarounds above are not set):

  • When filer(vfiler) attempts to pass NTLM authentication information over NETLOGON, the patched domain controller will return Access Denied
  • ONTAP will report in EMS messages errors like: (this will only be seen if "options cifs.trace_login on" is enabled)
    auth.dc.trace.DCConnection.errorMsg:error]: AUTH: Domain Controller error: 
    NetLogon error 0xc0000022: - Filer's security information differs from domain controller \\DC1.
    

How ONTAP 7-mode will be impacted by CVE-2022-38023 once "RequireSeal:2" enforcement is set (if workarounds above are no longer valid):

Additional Information

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.