Skip to main content
NetApp Knowledge Base

Does CVE-2022-38023 have any impact to ONTAP 9?

  1. Last updated
  2. Save as PDF
Views:
80,359
Visibility:
Public
Votes:
112
Category:
ontap-9
Specialty:
NAS
Last Updated:

Applies to

  • ONTAP 9
  • FSX
  • Cloud Volumes ONTAP (CVO)
  • SMB/CIFS
  • Netlogon (NTLM Authentication)
  • CVE-2022-38023 - Netlogon RPC Elevation of Privilege Vulnerability

Answer

  1. ONTAP features configured for domain authentication using NTLMv1 or NTLMv2 e.g. CIFS, Vscan, RBAC, domain tunnel, etc. are affected:
::> set advanced
::*> vserver cifs session show -vserver <vserver> -fields auth-mechanism,address,windows-user
node         vserver   session-id           connection-id address      auth-mechanism windows-user
------------ --------- -------------------- ------------- ------------ -------------- ------------
netapp-01a   <vserver> 17134789207261194186 2550496605    10.62.125.88 NTLMv2         DEMO\user6
netapp-01b   <vserver> 17134789207261194188 2550496606    10.216.29.42 Kerberos       DEMO\Administrator
2 entries were displayed.

Note: If Kerberos authentication attempt fails, NTLM (NTLMv1 or NTLMv2) is default fallback.

  1. Impact: All CIFS Domain authentication using NTLM will fail post DC server patch upgrade:  CONTAP-80033: NTLM authentication fails due to enforcement of Netlogon RPC sealing
  2. Actions as per SU530 are required before June 13, 2023 - "Enforcement by Default" phase when Microsoft's CVE-2022-38023 patches are installed
How do the phases impact ONTAP?

Microsoft Phases

What changed

How did this impact ONTAP 9?

What options do I have?

July 2023 - Enforcement Phase

The Windows updates released on July 11, 2023 will remove the ability to set RequireSeal:1

RequireSeal is forced to be to 2, contents of the registry value are ignored.
ONTAP impact once RequireSeal:1 is set:
ONTAP impact once RequireSeal:2 is set:
FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
  • EMS also indicate below event to indicate no DC's available.

secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (vs1) are currently accessible via the network.

  • Domain Controller may record following event ID 5838 as Error. 
Log Name:      System
Source:        NETLOGON
Date:          2/22/2023 3:17:28 PM
Event ID:      5838
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dc1.demo.netapp.local
Description:
The Netlogon service encountered a client using RPC signing instead of RPC sealing.  

Machine SamAccountName: CIFSSERVERNAME

Additional Information

  • We can run below command on Domain Controller to check for event ID 5838.

>Get-WinEvent -LogName "System" | Where-Object -Property Id -eq 5838

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.