跳转到主内容

CVE-2022-38023 对 ONTAP 9 是否有任何影响?

Views:
1,173
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

适用于

  • ONTAP 9
  • FSX
  • Cloud Volumes ONTAP (CVO)
  • SMB/CIFS
  • Netlogon(NTLM 认证)
  • CVE-2022-38023 - Netlogon RPC 提权漏洞

问题解答

  1. 为使用 NTLMv1 或 NTLMv2 进行域身份验证而配置的 ONTAP 功能(例如 CIFS、Vscan、RBAC、域隧道等)受到影响:
 ::> set advanced ::*> vserver cifs session show -vserver <vserver> -fields auth-mechanism,address,windows-user node vserver session-id connection-id address auth-mechanism windows-user ------------ --------- -------------------- ------------- ------------ -------------- ------------ netapp-01a <vserver> 17134789207261194186 2550496605 10.62.125.88 NTLMv2 DEMO\user6 netapp-01b <vserver> 17134789207261194188 2550496606 10.216.29.42 Kerberos DEMO\Administrator 2 entries were displayed. 

:如果 Kerberos 身份验证尝试失败,则默认回退为 NTLM(NTLMv1 或 NTLMv2)。

  1. 影响:使用 NTLM 的所有 CIFS 域身份验证将在 DC 服务器修补程序升级后失败:[1]CONTAP-80033:由于实施 Netlogon RPC 密封,NTLM 身份验证失败
  2. 根据  SU530  的操作需要在  2023 年 6 月 13 日"默认执行"阶段 之前完成,即安装 Microsoft 的 CVE-2022-38023 补丁时
这些阶段对 ONTAP 有何影响?

Microsoft 阶段

发生了什么变化

这对 ONTAP 9 有何影响?

我有哪些选择?

2023 年 7 月 - 执行阶段

2023 年 7 月 11 日发布的 Windows 更新将删除设置 RequireSeal:1

RequireSeal 被强制设置为 2,将忽略注册表值的内容。

一旦设置 RequireSeal:1 后对 ONTAP 的影响:
一旦设置 RequireSeal:2 后对 ONTAP 的影响:
FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
  • EMS 还指示以下事件,以指示无可用 DC。

secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (vs1) are currently accessible via the network.

  • 域控制器可能会将以下事件 ID 5838 记录为错误。 
Log Name: System Source: NETLOGON Date: 2/22/2023 3:17:28 PM Event ID: 5838 Task Category: None Level: Error Keywords: Classic User: N/A Computer: dc1.demo.netapp.local Description: The Netlogon service encountered a client using RPC signing instead of RPC sealing. Machine SamAccountName: CIFSSERVERNAME

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.