This has been brought to our attention by a reader (thank you, William!). The vulnerability %%cve:2022-38038%% affected the Microsoft Netlogon[1] procedure with an RPC escalation of privilege vulnerability. Microsoft provided a patch to fix it. It improves the Netlogon security by enforcing RPC sealing instead of signing off the communication with the Domain Controller. RPC sealing is a security measure that both signs and encrypts the messages sent over the wire by the Netlogon protocol. Microsoft released a knowledge base article[2] with more information about the technique used to fix the vulnerability.
Sealing is controlled via a registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters
“RequireSeal” can be set to the following values:
- 0 – Disabled
- 1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows or acting as either domain controllers or Trust accounts.
- 2 – Enforcement mode. All clients must use RPC Seal unless they are added to the “Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).
When the patch was released, it was in compatibility mode, but Microsoft defined an interesting timeline:
- Nov 8, 2022: Initial deployment phase but no impact of the sealing is not present, and the possibility of disabling the Sealing
- Dev 13, 2022: System in audit mode and events are generated (Source: Microsoft-Windows-Kerberos-Key-Distribution-Center and event IDs 43 or 44)
- Apr 11, 2023: Initial enforcement phase, sealing can’t be disabled in the registry (Must be 1 or 2)
- Jul 11, 2023: Authentication will fail if Sealing is not present
Many devices use Netlogon across networks. Think about NAS, multi-function printers (MFP), etc. Some vendors have already published support articles about the potential effect of this enforcement[3].
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f
[2] KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 – Microsoft Support
[3] https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
