Change log
Change 1: April 5, 2023: Moved the "Enforcement by Default" phase of the registry key from April 11, 2023 to June 13, 2023 in the "Timing of updates to address CVE-2022-38023" section. Change 2: April 20, 2023: Removed inaccurate reference to "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO) in the "Registry Key settings" section. Change 3: June 19, 2023:
|
In this article
Summary
The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023 .
The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains.
This update protects Windows devices from CVE-2022-38023 by default. For third-party clients and third-party domain controllers, update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.
To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers.
Important Starting June 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Compatibility mode setting. Compatibility mode will be removed in July 2023, as outlined in the Timing of updates to address Netlogon vulnerability CVE-2022-38023 section.
Timing of updates to address CVE-2022-38023
Updates will be released in several phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after July 11, 2023.
The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients.
By default, devices will be set in Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.
The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
The RequireSeal registry subkey will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode. Vulnerable connections from all clients including third-parties will be denied authentication. See Change 1.
The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.
Registry Key settings
After the Windows updates that are dated on or after November 8, 2022 are installed, the following registry subkey is available for the Netlogon protocol on Windows domain controllers.
IMPORTANT This update, as well as future enforcement changes, do not automatically add or remove the “RequireSeal” registry subkey. This registry subkey must be manually added for it to be read. See Change 3.
RequireSeal subkey
Registry key |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters |
Value |
RequireSeal |
Data type |
REG_DWORD |
Data |
0 – Disabled 1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts. 2 - Enforcement mode. All clients are required to use RPC Seal. See Change 2. |
Restart required? |
No |
Windows events related to CVE-2022-38023
NOTE The following events have a 1-hour buffer in which duplicate events that contain the same information are discarded during that buffer.
Event Log |
System |
Event Type |
Error |
Event Source |
NETLOGON |
Event ID |
5838 |
Event Text |
The Netlogon service encountered a client using RPC signing instead of RPC sealing. |
If you find this error message in your event logs, you must take the following actions to resolve the system error:
-
Confirm that the device is running a supported version of Windows.
-
Check to make sure all devices are up to date.
-
Check to make sure that Domain member: Domain member Digitally encrypt or sign secure channel data (always) is set to Enabled .
Event Log |
System |
Event Type |
Error |
Event Source |
NETLOGON |
Event ID |
5839 |
Event Text |
The Netlogon service encountered a trust using RPC signing instead of RPC sealing. |
Event Log |
System |
Event Type |
Warning |
Event Source |
NETLOGON |
Event ID |
5840 |
Event Text |
The Netlogon service created a secure channel with a client with RC4. |
If you find Event 5840, this is a sign that a client in your domain is using weak cryptography.
Event Log |
System |
Event Type |
Error |
Event Source |
NETLOGON |
Event ID |
5841 |
Event Text |
The Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting. |
If you find Event 5841, this is a sign that the RejectMD5Clients value is set to TRUE .
RejectMD5Clients description of the Abstract Data Model.
The RejectMD5Clients key is an pre-existing key in the Netlogon service. For more information, see theFrequently Asked Questions (FAQ)
All domain-joined, machine accounts are affected by this CVE. Events will show who is most impacted by this issue after the November 8, 2022 or later Windows updates are installed, please review the Event Log errors section to address the issues.
To help detect older clients that are not using the strongest available crypto, this update introduces event logs for clients that are using RC4.
RPC signing is when the Netlogon protocol uses RPC to sign the messages it sends over the wire. RPC sealing is when the Netlogon protocol both signs and encrypts the messages it sends over the wire.
Windows Domain Controller determine whether a Netlogon client is running Windows by querying the “OperatingSystem” attribute in Active Directory for the Netlogon client and checking for the following strings:
-
“Windows”, “Hyper-V Server”, and “Azure Stack HCI”
We do not recommend nor support that this attribute be changed by Netlogon clients or domain administrators to a value that is not representative of the operating system (OS) that the Netlogon client is running. You should be aware that we may change the search criteria at any time. See Change 3.
The enforcement phase does not reject Netlogon clients based on the type of encryption that the clients use. It will only reject Netlogon clients if they do RPC signing instead of RPC Sealing. Rejection of RC4 Netlogon clients is based on the “RejectMd5Clients” registry key available to Windows Server 2008 R2 and later Windows Domain Controllers. The enforcement phase for this update does not change the “RejectMd5Clients” value. We recommend that customers enable the "RejectMd5Clients" value for higher security in their domains. See Change 3.
Glossary
Advanced Encryption Standard (AES) is a block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197] .
In a Windows NT operating system-compatible network security environment, the component responsible for synchronization and maintenance functions between a primary domain controller (PDC) and backup domain controllers (BDC). Netlogon is a precursor to the directory replication server (DRS) protocol.The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains. For more information, see Netlogon Remote Protocol.
RC4-HMAC (RC4) is a variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.
An authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets.