Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023, (Sat, Apr 8th)

Apr 8, 2023 08:00 am Cyber Security 144

This has been brought to our attention by a reader (thank you, William!). The vulnerability %%cve:2022-38038%% affected the Microsoft Netlogon[1] procedure with an RPC escalation of privilege vulnerability. Microsoft provided a patch to fix it. It improves the Netlogon security by enforcing RPC sealing instead of signing off the communication with the Domain Controller. RPC sealing is a security measure that both signs and encrypts the messages sent over the wire by the Netlogon protocol. Microsoft released a knowledge base article[2] with more information about the technique used to fix the vulnerability.

Sealing is controlled via a registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters

“RequireSeal” can be set to the following values:

0 – Disabled

1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows or acting as either domain controllers or Trust accounts.

2 – Enforcement mode. All clients must use RPC Seal unless they are added to the “Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).

When the patch was released, it was in compatibility mode, but Microsoft defined an interesting timeline:

Nov 8, 2022: Initial deployment phase but no impact of the sealing is not present, and the possibility of disabling the Sealing

Dev 13, 2022: System in audit mode and events are generated (Source: Microsoft-Windows-Kerberos-Key-Distribution-Center and event IDs 43 or 44)

Apr 11, 2023: Initial enforcement phase, sealing can’t be disabled in the registry (Must be 1 or 2)

Jul 11, 2023: Authentication will fail if Sealing is not present

M ..

Support the originator by clicking the read the rest link below.