Project

General

Profile

Actions
Copy link

Feature #15670

open

SMB NetLogon Client Seal support

Added by Matt Barden 18 days ago. Updated 13 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Matt Barden
Category:
smb - SMB server and client
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
2873
External Bug:
racktop:BSR-13344

Description

In response to CVE-2022-38023, Microsoft is removing support for RPC Signing in the Netlogon server, instead requiring Sealing when establishing a 'secure channel'. More details can be found here: https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25 and here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023

The previous changes in response to Zerologon mitigations (#13169) implemented RPC Signing in the netlogon client to satisfy the RPC security requirement; now we must implement Sealing to continue to support NTLMSSP authentication in the SMB Server, building off that prior work.

Actions
Copy link
 #1

Updated by Guenther Alka 18 days ago

A related problem up from Nov, 14 is StrongCertificateBindingEnforcement
https://www.cisa.gov/guidance-applying-june-microsoft-patch-tuesday-update-cve-2022-26925

Actions
Copy link
 #2

Updated by Gordon Ross 13 days ago

  • Tracker changed from Bug to Feature
  • Subject changed from Want support for RPC sealing in Netlogon client to SMB NetLogon Client Seal support
  • External Bug set to racktop:BSR-13344
Actions
Copy link
 #3

Updated by Electric Monk 13 days ago

  • Gerrit CR set to 2873
Actions
Copy link

Also available in: Atom PDF