Last Updated: 2023-04-08 05:34:20 UTC
by Xavier Mertens (Version: 1)
This has been brought to our attention by a reader (thank you, William!). The vulnerability CVE-2022-38038 affected the Microsoft Netlogon procedure with an RPC escalation of privilege vulnerability. Microsoft provided a patch to fix it. It improves the Netlogon security by enforcing RPC sealing instead of signing off the communication with the Domain Controller. RPC sealing is a security measure that both signs and encrypts the messages sent over the wire by the Netlogon protocol. Microsoft released a knowledge base article with more information about the technique used to fix the vulnerability.
Sealing is controlled via a registry key:
"RequireSeal" can be set to the following values:
- 0 - Disabled
- 1 - Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows or acting as either domain controllers or Trust accounts.
- 2 - Enforcement mode. All clients must use RPC Seal unless they are added to the "Domain Controller: Allow vulnerable Netlogon secure channel connections" group policy object (GPO).
When the patch was released, it was in compatibility mode, but Microsoft defined an interesting timeline:
- Nov 8, 2022: Initial deployment phase but no impact of the sealing is not present, and the possibility of disabling the Sealing
- Dev 13, 2022: System in audit mode and events are generated (Source: Microsoft-Windows-Kerberos-Key-Distribution-Center and event IDs 43 or 44)
- Apr 11, 2023: Initial enforcement phase, sealing can’t be disabled in the registry (Must be 1 or 2)
- Jul 11, 2023: Authentication will fail if Sealing is not present
Many devices use Netlogon across networks. Think about NAS, multi-function printers (MFP), etc. Some vendors have already published support articles about the potential effect of this enforcement.
 KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 - Microsoft Support
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant