Microsoft Security Advisory CVE-2020-1472 impact on NetApp appliance running CIFS or NFS utilizing Netlogon servers
Applies to
- Data ONTAP 7-Mode
- ONTAP 9
Answer
Impact of Microsoft CVE-2020-1472 on ONTAP and Data ONTAP 7-Mode
- Based on the following Microsoft articles, the KB covers responses to these Microsoft Security Advisories:
- Once Microsoft has enabled enforcement of
FullSecureChannelProtection
, the following is the expected impact on ONTAP for NTLM Authentication
ONTAP (including Clustered Data ONTAP 8)
ONTAP – also known as Clustered DATA ONTAP, CDOT – supports Netlogon Secure Channel and no changes are required for ONTAP after enforcement phase
Data ONTAP 7-Mode
Failing to deploy workarounds stated below can impact any CIFS\SMB client authentication that utilizes NTLM authentication. |
- 7-Mode supports Netlogon Secure Channel on fixed releases (8.2.5P5 7-Mode)
- Review the details in 1343982: Support Netlogon Secure Channel in 7-mode for CVE-2020-1472
- Workaround 1: NetApp recommendation is to upgrade to 8.2.5P5
- A new option was introduced to enable support for secure netlogon (cifs.netlogon.secure_channel.enable)
- This option is vfiler scoped. It must be enabled on all vfilers involved in domain authentication
- Workaround 2: Microsoft has a workaround to allow vulnerable netlogon secure connections via GPO
- If this does not work, please contact Microsoft support so we can collaborate with them.
- Workaround 1: NetApp recommendation is to upgrade to 8.2.5P5
- For more information, contact Netapp Technical Support
Frequently asked questions
Are there limitations with ONTAP on what cyphers are supported?
- ONTAP supports DES and HMAC-MD5 (when strong key is set)
- ONTAP supports AES (HMAC-SHA256) for Netlogon Secure Channel in ONTAP 9.10.1+
- This functionality was added via 1152048: Netlogon secure channel connection fails if AES is enforced on the Windows Domain Controller
Are there changes required with ONTAP once FullSecureChannelProtection is enforced?
No
What workaround is available for 7-Mode once FullSecureChannelProtection is enforced?
Workaround 1
After upgrade, regardless of the setting for cifs.smb2.client.enable , secure netlogon communications will utilize SMB2 for DC communications |
- Upgrade to a fix is available for 1343982: Support Netlogon Secure Channel in 7-mode for CVE-2020-1472 , 8.2.5P5+
- After upgrade, a new option is available (default off). Enable this option:
options cifs.netlogon.secure_channel.enable on
This option is vfiler scoped - It must be enabled on all vfilers involved in domain authentication |
vfiler run <vfiler> options cifs.netlogon.secure_channel.enable on
- Switching between modes (enabled/disabled) requires that a
cifs resetdc
command (if using vfilers, runvfiler run <vfiler> cifs resetdc
) be run to disconnect any current connections to DCs and reconnect to a DC in the new mode.
If you are not able to perform the above action, follow workaround 2 |
Workaround 2
Add the 7-Mode cifs server computer account to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy as described in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
Where can I find more information on NTLM Authentication?
How to determine if CIFS/SMB connections are using NTLM or Kerberos?
- ONTAP: Run this command to tell what authentication mechanism clients is used in currently logged on sessions:
::>vserver cifs session show -fields auth-mechanism
For more information, view main page: vserver cifs session show
- 7-Mode: There is no equivalent command available. A packet capture is the only available method to discern client authentication mechanism.
For more information, see How to collect a network trace with pktt in Data ONTAP 7-Mode
On 7-Mode, when FullSecureChannelProtection is enabled, why do I see the filer's security information differs from domain controller errors?
- On 7-Mode systems, when NTLM authentication is denied as a result of
FullSecureChannelProtection set to 1,
this error is seen:
[fas02:auth.dc.trace.DCConnection.errorMsg:error]: AUTH: Domain Controller error: NetLogon error 0xc0000022: - Filer's security information differs from domain controller \\DC1.
- The Access Denied from the NetrLogonSamLogon call rejected by the DC is resulting in this error
- This error can be misleading and could throw off troubleshooting for this type issue; but the filer is not out of sync in the scenario.
- To confirm the above case, this will be accompanied by an EventID 5827 on DC:
The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
for the 7-Mode cifs server computer account. - If this message is seen on your 7-Mode system, please go ahead and follow the steps to workaround issue as noted above. (Upgrade\enable option\resetdc -or- add computer account to GPO)