Does CVE-2022-38023 have any impact to ONTAP 9?
Applies to
- ONTAP 9
- FSX
- Cloud Volumes ONTAP (CVO)
- SMB/CIFS
- Netlogon (NTLM Authentication)
- CVE-2022-38023 - Netlogon RPC Elevation of Privilege Vulnerability
Answer
1. ONTAP features configured for domain authentication using NTLMv1 or NTLMv2 e.g. CIFS, Vscan, RBAC, domain tunnel, etc. are affected
::> set advanced
::*> vserver cifs session show -vserver <vserver> -fields auth-mechanism,address,windows-user
node vserver session-id connection-id address auth-mechanism windows-user
------------ --------- -------------------- ------------- ------------ -------------- ------------
netapp-01a <vserver> 17134789207261194186 2550496605 10.62.125.88 NTLMv2 DEMO\user6
netapp-01b <vserver> 17134789207261194188 2550496606 10.216.29.42 Kerberos DEMO\Administrator
2 entries were displayed.
Note: If Kerberos authentication attempt fails, NTLM (NTLMv1 or NTLMv2) is default fallback.
2. Impact: All CIFS Domain authentication using NTLM will fail post DC server patch upgrade: RFE 1514175
3. Actions as per SU530 are required before June 13, 2023 - "Enforcement by Default" phase when Microsoft's CVE-2022-38023 patches are installed
How do the phases impact ONTAP?
|
Microsoft Phases |
What changed |
How did this impact ONTAP 9? |
What options do I have? |
|---|---|---|---|
| Nov 2022 - Initial Deployment Phase | Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients. |
|
Workaround: Set Registry to RequireSeal:1 Compatibility mode on Domain Controllers to prevent an issue in June |
|
Apr 2023 - Initial Enforcement Phase |
Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting RequireSeal:0 |
|
|
|
June 2023 - Enforcement by Default |
If RequireSeal is not configured, this update will by default assume that RequireSeal:2 If workaround is applied, this value is set to 1, thus compatibility mode is configured and used. |
|
|
|
July 2023 - Enforcement Phase |
The Windows updates released on July 11, 2023 will remove the ability to set RequireSeal:1 RequireSeal is forced to be to 2, contents of the registry value are ignored. |
|
|
ONTAP impact once RequireSeal:1 is set:
- Domain Controller may record following event ID 5838 as Warning
ONTAP impact once RequireSeal:2 is set:
- If ONTAP is unpatched, when SVM attempts NTLM authentication, the patched domain controller will return Access Denied causing the request to fail
- EMS Syslog Translator for secd.cifsAuth.problem including the entry:
FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
- EMS also indicate below event to indicate no DC's available.
secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (vs1) are currently accessible via the network.
- Domain Controller may record following event ID 5838 as Error.
Log Name: System Source: NETLOGON Date: 2/22/2023 3:17:28 PM Event ID: 5838 Task Category: None Level: Error Keywords: Classic User: N/A Computer: dc1.demo.netapp.local Description: The Netlogon service encountered a client using RPC signing instead of RPC sealing. Machine SamAccountName: CIFSSERVERNAME
Additional Information
- We can run below command on Domain Controller to check for event ID 5838.
>Get-WinEvent -LogName "System" | Where-Object -Property Id -eq 5838
- How to workaround impact seen after applying CVE-2022-38023 on domain controllers after June 13 2023
- How to manually configure RequireSeal to Compatibility Mode on a Windows domain controller
- CVE-2022-38023 NetApp context:
- Helpful commands to identify CIFS authentication styles:
- ONTAP user (RBAC) authentication
- CIFS / SMB client authentication:
- Kerberos