The April 2023 Updates provide further urgency to Netlogon RPC Sealing

Reading Time: 2 minutes

With the November 2022 Updates for Windows Server, Microsoft implemented Netlogon protocol changes as part of mitigating the vulnerability associated with CVE-2022-38023. With the April 2023 Updates for Windows Server, another vulnerability is addressed in the same context.

 

About CVE-2022-38023 (November 2022)

Through this vulnerability, an authenticated adversary could leverage cryptographic protocol vulnerabilities in the Windows Netlogon protocol when RPC Signing is used instead of RPC Sealing. Where RPC Signing is used instead of RPC Sealing the adversary could gain control of the service and then might be able to modify Netlogon protocol traffic to elevate their privileges.

After installing the November 2022 updates on Domain Controllers, organizations with third-party devices, applications and/or services may encounter errors in the System log on Domain Controller with source Netlogon with Event IDs 5838 (indicating that the Netlogon service encountered a client using RPC signing instead of RPC sealing), 5839  (indicating that the Netlogon service encountered a trust using RPC signing instead of RPC sealing), 5840 (indicating that the Netlogon service created a secure channel with a client with RC4) and/or Event ID 5841 (indicating that the Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting).

For these organizations, a compatibility mode is available in the registry of Domain Controllers through the RequireSeal registry value.

This compatibility mode ends with the July 11, 2023 updates for Windows Server.

 

About CVE-2023-28268 (April 2023)

Through this vulnerability, an adversary who successfully exploited this vulnerability could gain the privileges of the targeted user. Through an Adversary-in-the-middle (AitM) attack, an adversary could leverage cryptographic protocol vulnerabilities in the Windows Netlogon protocol when RPC Signing is used instead of RPC Sealing. Where RPC Signing is used instead of RPC Sealing the attacker could gain control of the service and then might be able to modify Netlogon protocol traffic to elevate their privileges.

When an organization runs in Compatibility mode through the RequireSeal registry value, the attack remains possible, even after installing the April 2023 Updates for Windows Server on Domain Controllers.

 

Call to Action

Please perform the following actions on Domain Controllers as soon as possible, starting with Domain Controllers in non-production environments before moving to Domain Controllers in the production environment:

  1. Confirm that all domain-joined device are running supported versions of Windows.
  2. Ensure all domain-joined devices are up to date.
  3. Ensure that the Domain member: Domain member Digitally encrypt or sign secure channel data (always) Group Policy setting is set to Enabled.
  4. Work with the vendor of any third-party devices, applications and/or services to perform RPC Sealing
  5. Remove the RequireSeal registry key on Domain Controllers or set the value for the RequireSeal registry key to 2.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.