Does CVE-2022-38023 have any impact to Data ONTAP 7-Mode

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 12,504

Visibility:: Public

Votes:: 13

Category:: data-ontap-8

Specialty:: 7dot

Last Updated:

Applies to

Data ONTAP 7-Mode
CVE-2022-38023

Answer

Yes, when the filer(vfiler) attempts to pass NTLM authentication over NETLOGON, the domain controller once Enforcement Phase is set, will return Access Denied

What workarounds are available?

7-mode Version	GPO	cifs.netlogon.secure_channel.enable
8.2.5P3 and older versions	add 7-mode computer object to GPO	option not available, Netlogon is not utlizing secure channel
8.2.5P4 and 8.2.5P5	add 7-mode computer object to GPO	`"options cifs.netlogon.secure_channel.enable off"`

Add 7-mode computer object to GPO: "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).
NOTE: For ONTAP 7-mode there is no patch planned to implement this new feature as 7-mode is under limited support.
NOTE: For ONTAP 7-mode 8.2.5P4 or 8.2.5P5 versions, to utilize GPO workaround, you must run "options cifs.netlogon.secure_channel.enable off "
By disabling the option above, you are reverting 7-mode to use nonsecure vulnerable Netlogon connections. This is the only method NetApp has seen that works with the formerly published GPO workaround "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO)" .
NOTE: As of April 20, 2023 Microsoft KB5021130 NO LONGER references the GPO as a workaround to Enforcement. As of April 11, 2023 patches, this workaround was still valid for 7-mode, however, we cannot guarantee it's validity with any other future publicly available hotfixes.

How ONTAP 7-mode will be impacted by CVE-2022-38023 once "RequireSeal:2" enforcement is set (if workarounds above are not set):

When filer(vfiler) attempts to pass NTLM authentication information over NETLOGON, the patched domain controller will return Access Denied

ONTAP will report in EMS messages errors like: (this will only be seen if "options cifs.trace_login on" is enabled)

auth.dc.trace.DCConnection.errorMsg:error]: AUTH: Domain Controller error: 
NetLogon error 0xc0000022: - Filer's security information differs from domain controller \\DC1.

How ONTAP 7-mode will be impacted by CVE-2022-38023 once "RequireSeal:2" enforcement is set (if workarounds above are no longer valid):

Clients must ensure only Kerberos authentication is being used in their environment.
How does an SMB client identify which authentication style to use?
ONTAP Requirements for CIFS Kerberos

Additional Information

Does CVE-2022-38023 have any impact to ONTAP 9
This other KB has helpful hints on how to troubleshoot this issue: Microsoft Security Advisory CVE-2020-1472 impact on NetApp appliance running CIFS or NFS utilizing Netlogon servers
after running "options cifs.netlogon.secure_channel.enable off ", Switching between modes (enabled/disabled) requires that a cifs resetdc command (if using vfilers, run vfiler run <vfiler> cifs resetdc) be run to disconnect any current connections to DCs and reconnect to a DC in the new mode.