Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023, (Sat, Apr 8th)

Windows logo - 2021
Windows logo – 2021

This has been brought to our attention by a reader (thank you, William!). The vulnerability %%cve:2022-38038%% affected the Microsoft Netlogon[1] procedure with an RPC escalation of privilege vulnerability. Microsoft provided a patch to fix it. It improves the Netlogon security by enforcing RPC sealing instead of signing off the communication with the Domain Controller. RPC sealing is a security measure that both signs and encrypts the messages sent over the wire by the Netlogon protocol. Microsoft released a knowledge base article[2] with more information about the technique used to fix the vulnerability.

Sealing is controlled via a registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters

“RequireSeal” can be set to the following values:

  • 0 – Disabled
  • 1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows or acting as either domain controllers or Trust accounts.
  • 2 – Enforcement mode. All clients must use RPC Seal unless they are added to the “Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).

When the patch was released, it was in compatibility mode, but Microsoft defined an interesting timeline:

  • Nov 8, 2022: Initial deployment phase but no impact of the sealing is not present, and the possibility of disabling the Sealing
  • Dev 13, 2022: System in audit mode and events are generated (Source: Microsoft-Windows-Kerberos-Key-Distribution-Center and event IDs 43 or 44)
  • Apr 11, 2023: Initial enforcement phase, sealing can’t be disabled in the registry (Must be 1 or 2)
  • Jul 11, 2023: Authentication will fail if Sealing is not present

Many devices use Netlogon across networks. Think about NAS, multi-function printers (MFP), etc. Some vendors have already published support articles about the potential effect of this enforcement[3].

[2] KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 – Microsoft Support

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post