[German]Microsoft has indeed postponed its schedules for phased adjustments to the Netlogon protocol (due to CVE-2022-38023) and the Kerberos protocol from April 11, 2023 to June 13, 2023. But with the Windows update of April 11, 2023, the option to disable RPC sealing in the registry has already been removed. In the meantime, the first problems are being reported and a Microsoft employee has just asked administrators to test the systems, as I saw on Twitter.
In November 2022, Microsoft had initiated a phased change to the Netlogon and Kerberos protocols with its security updates, which should last until October 2023. The reason is three vulnerabilities (CVE-2022-38023 and CVE-2022-37967) in Windows. Administrators must respond accordingly to ensure that these changes are reflected in network communications (see my blog post Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues). The next change should take effect on April 11, 2023.
April 2023 security updates
In April 2023, Microsoft had actually planned the next step by activating the so-called enforcement mode for RPC sealing. However, Microsoft postponed this step to June 11, 2023, as can be read in the support article KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 and in the article KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967. It says there:
April 5, 2023: Moved the "Enforcement by Default" phase of the registry key from April 11, 2023 to June 13, 2023 in the "Timing of updates to address CVE-2022-38023" section.
AHowever, support post KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 also states that the April 11, 2023 security update (i.e., April 2023 patchday) initiates the Initial Inforcement phase.
The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
If the April 2023 update is installed on Windows, RPC sealing cannot be disabled by setting the RequireSeal registry value to 0. For the KrbtgtFullPacSignature key, the enforcement mode does not become active until June 13, 2023 (see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967). However, the April 2023 patches may already cause disruptions to KrbPAC & RPCNetLogonSeal.
Disruption due to April 2023 update?
German blog reader Florian T. already emailed me about potential problems related to the protocol changes on April 12, 2023 and wrote.
Hello Mr. Born,
a tip for an article: The patch for Kerberos PAC signatures goes into its third phase and enforces the Kerberos PAC signature (krb pac shutdown is disabled). For analysis of where this is missing, see Using Windows Eventlog Eventid 43 or 44.
The patch that enforces RPC Netlogon Sealing and removes RPC Netlogon Signing was also included. Can be analyzed in advance by Windows Eventlog Eventids 5838-5841.
Some vendors have already published warnings for outages, e.g. Netapp and Ivanti vpn (formerly pulsevpn).
The screenshot above shows the excerpt from one of the following Microsoft support articles Florian links to in his mail (thanks for that).
- KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
- KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
Administrators should therefore read the two support articles again and test their Windows Server environments for corresponding problems.
Test the enforcement mode!
Recently the following tweet from Microsoft's Ryan Ries has come to my attention. Ries asks all administrators, especially those using third-party devices like NetApp storage, to test Enforcent Mode as soon as possible.
Ries notes: Nothing is confirmed yet, but I'm increasingly getting internal reports that this might not go as smoothly as we think. Administrators should not wait with testing – and if necessary updating – the necessary software until the last minute. Otherwise, there will be a rude awakening in June 2023.