Netlogon RPC Elevation of Privilege Vulnerability – RequireSeal Enforcement phase
Microsoft is announcing the release of the fourth phase of Windows security updates to address this vulnerability. The July 2023 updates remove the ability to set value 1 to the RequireSeal registry subkey and enables the Enforcement phase. Please see [How to manage Netlogon Protocol changes related to CVE-2022-38023](https://support.microsoft.com/help/5021130) for more information, including the planned enforcement timeline.
July 11, 2023 – Enforcement phase
The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.
The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023 .
The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain, and relationships among domain controllers (DCs) and domains.
This update protects Windows devices from CVE-2022-38023 by default. For third-party clients and third-party domain controllers, update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.
To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers.
Important Starting June 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Compatibility mode setting. Compatibility mode will be removed in July 2023, as outlined in the Timing of updates to address Netlogon vulnerability CVE-2022-38023 section.
Timing of updates to address CVE-2022-38023
Updates will be released in several phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after July 11, 2023.
November 8, 2022 – Initial deployment phase
The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients.
By default, devices will be set in Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.
April 11, 2023 – Initial enforcement phase
The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
June 13, 2023 – Enforcement by Default
The RequireSeal registry subkey will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode. Vulnerable connections from all clients including third-parties will be denied authentication.
July 11, 2023 – Enforcement phase
The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.
Windows events related to CVE-2022-38023
NOTE The following events have a 1-hour buffer in which duplicate events that contain the same information are discarded during that buffer.
The Netlogon service encountered a client using RPC signing instead of RPC sealing
Event Log | System |
Event Type | Error |
Event Source | NETLOGON |
Event ID | 5838 |
Event Text | The Netlogon service encountered a client using RPC signing instead of RPC sealing. |
If you find this error message in your event logs, you must take the following actions to resolve the system error:
- Confirm that the device is running a supported version of Windows.
- Check to make sure all devices are up to date.
- Check to make sure that Domain member: Domain member Digitally encrypt or sign secure channel data (always) is set to Enabled .
The Netlogon service encountered a trust using RPC signing instead of RPC sealing
Event Log | System |
Event Type | Error |
Event Source | NETLOGON |
Event ID | 5839 |
Event Text | The Netlogon service encountered a trust using RPC signing instead of RPC sealing. |
The Netlogon service created a secure channel with a client using RC4
Event Log | System |
Event Type | Warning |
Event Source | NETLOGON |
Event ID | 5840 |
Event Text | The Netlogon service created a secure channel with a client with RC4. |
If you find Event 5840, this is a sign that a client in your domain is using weak cryptography.
The Netlogon service denied a client using RC4 due to the 'RejectMd5Clients' setting
Event Log | System |
Event Type | Error |
Event Source | NETLOGON |
Event ID | 5841 |
Event Text | The Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting. |
If you find Event 5841, this is a sign that the RejectMD5Clients value is set to TRUE .
The RejectMD5Clients key is an pre-existing key in the Netlogon service. A Boolean variable that indicates whether the server SHOULD<124> reject incoming clients that are using MD5 encryption.
Frequently Asked Questions (FAQ)
Who is vulnerable for the issue listed in CVE-2022-38023?
To help detect older clients that are not using the strongest available crypto, this update introduces event logs for clients that are using RC4.
What is RPC signing and RPC sealing?
RPC signing is when the Netlogon protocol uses RPC to sign the messages it sends over the wire. RPC sealing is when the Netlogon protocol both signs and encrypts the messages it sends over the wire.
How do Windows Domain Controllers determine whether a Netlogon Client is running Windows?
Windows Domain Controller determine whether a Netlogon client is running Windows by querying the “OperatingSystem” attribute in Active Directory for the Netlogon client and checking for the following strings:
“Windows”, “Hyper-V Server”, and “Azure Stack HCI”
We do not recommend nor support that this attribute be changed by Netlogon clients or domain administrators to a value that is not representative of the operating system (OS) that the Netlogon client is running. You should be aware that we may change the search criteria at any time.
Will the Enforcement phase reject RC4 Netlogon clients?
The enforcement phase does not reject Netlogon clients based on the type of encryption that the clients use. It will only reject Netlogon clients if they do RPC signing instead of RPC Sealing. Rejection of RC4 Netlogon clients is based on the “RejectMd5Clients” registry key available to Windows Server 2008 R2 and later Windows Domain Controllers. The enforcement phase for this update does not change the “RejectMd5Clients” value. We recommend that customers enable the “RejectMd5Clients” value for higher security in their domains.
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.
You can also share the feedback on below windows techno email id.
If you have any questions, feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.