KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023

Se aplica a
Windows Server 2022 Windows Server 2019, all editions Windows Server 2016, all editions Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU

Change log

Change 1: April 5, 2023: Moved the "Enforcement by Default" phase of the registry key from April 11, 2023 to June 13, 2023 in the "Timing of updates to address CVE-2022-38023" section.

Change 2: April 20, 2023: Removed inaccurate reference to "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO) in the "Registry Key settings" section.

Change 3: June 19, 2023:
  • Added an "Important" note to the "Registry Key settings" section.
  • Added a "Note" to the "Windows events related to CVE-2022-38023 " section.
  • Added two new questions and answers to the "Frequently Asked Questions (FAQ)" section.

In this article

Summary

The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023 .

The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains.

This update protects Windows devices from CVE-2022-38023 by default.  For third-party clients and third-party domain controllers, update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.

To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers.

Important Starting June 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.  At that time, you will not be able to disable the update, but may move back to the Compatibility mode setting. Compatibility mode will be removed in July 2023, as outlined in the Timing of updates to address Netlogon vulnerability CVE-2022-38023 section.

Timing of updates to address CVE-2022-38023

Updates will be released in several phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after July 11, 2023.

November 8, 2022 - Initial deployment phase

The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients.

By default, devices will be set in Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.

April 11, 2023 - Initial enforcement phase

The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.

June 13, 2023 - Enforcement by Default

The RequireSeal registry subkey will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode. Vulnerable connections from all clients including third-parties will be denied authentication. See Change 1.

July 11, 2023 - Enforcement phase

The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.

Registry Key settings

After the Windows updates that are dated on or after November 8, 2022 are installed, the following registry subkey is available for the Netlogon protocol on Windows domain controllers.

Note

IMPORTANT This update, as well as future enforcement changes, do not automatically add or remove the “RequireSeal” registry subkey. This registry subkey must be manually added for it to be read. See Change 3.

RequireSeal subkey

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value RequireSeal
Data type REG_DWORD
Data 0 – Disabled
1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts.
2 - Enforcement mode. All clients are required to use RPC Seal. See Change 2.
Restart required? No

Note

NOTE The following events have a 1-hour buffer in which duplicate events that contain the same information are discarded during that buffer.

The Netlogon service encountered a client using RPC signing instead of RPC sealing
Event Log System
Event Type Error
Event Source NETLOGON
Event ID 5838
Event Text The Netlogon service encountered a client using RPC signing instead of RPC sealing.

If you find this error message in your event logs, you must take the following actions to resolve the system error:

The Netlogon service encountered a trust using RPC signing instead of RPC sealing
Event Log System
Event Type Error
Event Source NETLOGON
Event ID 5839
Event Text The Netlogon service encountered a trust using RPC signing instead of RPC sealing.
The Netlogon service created a secure channel with a client using RC4
Event Log System
Event Type Warning
Event Source NETLOGON
Event ID 5840
Event Text The Netlogon service created a secure channel with a client with RC4.

If you find Event 5840, this is a sign that a client in your domain is using weak cryptography.

The Netlogon service denied a client using RC4 due to the 'RejectMd5Clients' setting
Event Log System
Event Type Error
Event Source NETLOGON
Event ID 5841
Event Text The Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting.

If you find Event 5841, this is a sign that the RejectMD5Clients value is set to TRUE .

The RejectMD5Clients key is an pre-existing key in the Netlogon service. For more information, see the RejectMD5Clients description of the Abstract Data Model.

Frequently Asked Questions (FAQ)

Who is vulnerable for the issue listed in CVE-2022-38023?

All domain-joined, machine accounts are affected by this CVE. Events will show who is most impacted by this issue after the November 8, 2022 or later Windows updates are installed, please review the Event Log errors section to address the issues.

To help detect older clients that are not using the strongest available crypto, this update introduces event logs for clients that are using RC4.

What is RPC signing and RPC sealing?

RPC signing is when the Netlogon protocol uses RPC to sign the messages it sends over the wire. RPC sealing is when the Netlogon protocol both signs and encrypts the messages it sends over the wire.

How do Windows Domain Controllers determine whether a Netlogon Client is running Windows?

Windows Domain Controller determine whether a Netlogon client is running Windows by querying the “OperatingSystem” attribute in Active Directory for the Netlogon client and checking for the following strings:

  • “Windows”, “Hyper-V Server”, and “Azure Stack HCI”

We do not recommend nor support that this attribute be changed by Netlogon clients or domain administrators to a value that is not representative of the operating system (OS) that the Netlogon client is running. You should be aware that we may change the search criteria at any time. See Change 3.

Will the Enforcement phase reject RC4 Netlogon clients?

The enforcement phase does not reject Netlogon clients based on the type of encryption that the clients use. It will only reject Netlogon clients if they do RPC signing instead of RPC Sealing. Rejection of RC4  Netlogon clients is based on the “RejectMd5Clients” registry key available to Windows Server 2008 R2 and later Windows Domain Controllers. The enforcement phase for this update does not change the “RejectMd5Clients” value. We recommend that customers enable the "RejectMd5Clients" value for higher security in their domains. See Change 3.

Glossary

AES

Advanced Encryption Standard (AES) is a block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197] .

Netlogon

In a Windows NT operating system-compatible network security environment, the component responsible for synchronization and maintenance functions between a primary domain controller (PDC) and backup domain controllers (BDC). Netlogon is a precursor to the directory replication server (DRS) protocol.The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains. For more information, see Netlogon Remote Protocol.

RC4-HMAC

RC4-HMAC (RC4) is a variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.

Secure Channel

An authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets.