Critical Microsoft Vulnerability Requires NetApp Customers To Take Action

Over the last six months, we have been helping to make NetApp administrators aware of the Microsoft vulnerability update regarding the Netlogon RPC Elevation of Privilege Vulnerability (CVE-2022-38023) and its impact on NetApp ONTAP products. This vulnerability allows attackers to gain access to sensitive data and take over systems by exploiting the Netlogon authentication protocol and Windows administrators must apply the appropriate updates.

The update process involves implementing changes in multiple versions of Windows Server and requires a phased approach by Microsoft. Failure to complete the required updates could lead to serious security breaches and potential data loss. The first phase of implementation began on November 8, 2022, with the final phase scheduled for July 11, 2023.

NetApp has added support for Netlogon RPC Sealing in all ONTAP releases still in Full Support, and it is essential that NetApp Administrators take recommended actions before the June 13, 2023 “Enforcement by Default” phase and before the July 11, 2023 “Enforcement” phase for CVE-2022-38023. Failure to complete these actions could impact data availability and access from your NetApp storage system.

Below is a more detailed overview describing the Microsoft vulnerability, update timeline and the appropriate remediation steps for resolution.  If you need assistance, please reach out to your EchoStor Account Executive to schedule a follow up discussion. If you’re unsure who your Account Executive is, please click here to fill in your information and we will follow up as quickly as possible.

Important – Microsoft CVE-2022-38023 and NetApp ONTAP Announcement

• Microsoft is implementing changes in multiple versions of Windows Server to address a Netlogon RPC Elevation of Privilege Vulnerability present in their Netlogon code.
  • Details are in CVE-2022-38023 – “Netlogon RPC Elevation of Privilege Vulnerability” 
  • As per MS KB KB5021130: “How to manage the Netlogon protocol changes related to CVE-2022-38023”, there will be 4 phases of implementation
    • During the “Initial Deployment”phase which began on November 8, 2022, Windows servers will operate in “compatibility mode”, where Windows domain controllers will require that Netlogon clients use RPC sealing only if they are running Windows, or if they are acting as either domain controllers or as trust accounts (no impact to ONTAP).
    • During the “Initial Enforcement”phase, which began on April 11, 2023, the ability to completely disable the requirement to use Netlogon RPC sealing was removed. Default behavior is still “compatibility mode” (no impact to ONTAP for normal deployments – see SU530 for known exceptions with workaround details).
    • During the “Enforcement by Default” phase, which will begin on June 13, 2023, all clients will be required to use Netlogon RPC sealing unless administrators explicitly configure “Compatibility mode” on their domain controllers. Details on how to do this are in KB5021130 and SU530 (impact to ONTAP).
    • Final “Enforcement” phase is scheduled for July 11, 2023, at which time it will not be possible to configure “Compatibility mode” (impact to ONTAP).

• NetApp is adding support for Netlogon RPC Sealing in all ONTAP releases still in Full Support. This new ONTAP 9 enhancement is tracked by BURT 1514175.
  • This enhancement has been included in Service Updates on all major ONTAP releases currently in Full Support, namely:
    • 9.7P22, 9.8P18, 9.9.1P15, 9.10.1P12, 9.11.1P8, 9.12.1P2.
  • Inclusion of this enhancement in major ONTAP 9 releases prior to 9.7 is not planned.
  • More information can be found in SU530,which is being updated as additional information becomes available.

• Recommended Actions:

1.       Before the June 13, 2023 “Enforcement by Default” phase for CVE-2022-38023, either

•       Apply the “Compatibility mode” RequireSeal = 1 registry key value to all Windows domain controllers (see the “Workaround” section of the bulletin for more details), or

•       Upgrade all systems running ONTAP to one of the releases in the “Solution” section of the bulletin (or later, as available) – preferred.

2.       Before the July 11, 2023 “Enforcement” phase for CVE-2022-38023, if not already upgraded, upgrade all systems running ONTAP to one of the releases in the “Solution” section of the bulletin (or later, as available).

•       Note that for ONTAP 9, there is NO OTHER WORKAROUND that applies after the July 11, 2023 “Enforcement” phase for CVE-2022-38023.

• For 7-Mode, see “Does CVE-2022-38023 have any impact to Data ONTAP 7-Mode” for NetApp-tested workaround details.