This has been brought to our attention by a reader (thank you, William!). The vulnerability CVE-2022-38038 affected the Microsoft Netlogon[1] procedure with an RPC escalation of privilege vulnerability. Microsoft provided a patch to fix it. It improves the Netlogon security by enforcing RPC sealing instead of signing off the communication with the Domain Controller. RPC sealing is a security measure that both signs and encrypts the messages sent over the wire by the Netlogon protocol. Microsoft released a knowledge base article[2] with more information about the technique used to fix the vulnerability.

Sealing is controlled via a registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

"RequireSeal" can be set to the following values:

• 0 - Disabled
• 1 - Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows or acting as either domain controllers or Trust accounts.
• 2 - Enforcement mode. All clients must use RPC Seal unless they are added to the "Domain Controller: Allow vulnerable Netlogon secure channel connections" group policy object (GPO).

When the patch was released, it was in compatibility mode, but Microsoft defined an interesting timeline:

• Nov 8, 2022: Initial deployment phase but no impact of the sealing is not present, and the possibility of disabling the Sealing
• Dev 13, 2022: System in audit mode and events are generated (Source: Microsoft-Windows-Kerberos-Key-Distribution-Center and event IDs 43 or 44)
• Apr 11, 2023: Initial enforcement phase, sealing can’t be disabled in the registry (Must be 1 or 2)
• Jul 11, 2023: Authentication will fail if Sealing is not present

Many devices use Netlogon across networks. Think about NAS, multi-function printers (MFP), etc. Some vendors have already published support articles about the potential effect of this enforcement[3].

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f
[2] KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 - Microsoft Support
[3] https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key