跳转到主内容

CVE-2022-38023是否对ONTAP 9有任何影响?

Views:
1,092
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

适用场景

  • ONTAP 9
  • FSx
  • Cloud Volumes ONTAP (CVO)
  • SMB/CIFS
  • Netlogon (NTLM身份验证)
  • CVE-2022-38023 - Netlogon RPC特权提升漏洞

问题解答

  1. 为使用NTLMv1或NTLMv2进行域身份验证而配置的ONTAP功能 、例如 CIFS、Vscan、RBAC、域通道等会受到影响:
 ::> set advanced ::*> vserver cifs session show -vserver <vserver> -fields auth-mechanism,address,windows-user node vserver session-id connection-id address auth-mechanism windows-user ------------ --------- -------------------- ------------- ------------ -------------- ------------ netapp-01a <vserver> 17134789207261194186 2550496605 10.62.125.88 NTLMv2 DEMO\user6 netapp-01b <vserver> 17134789207261194188 2550496606 10.216.29.42 Kerberos DEMO\Administrator 2 entries were displayed. 

注意:如果Kerberos身份验证尝试失败,则 默认 回退为NTLM (NTLMv1或NTLMv2)。

  1. 影响:升级DC服务器修补程序  RFE 1514175后、使用NTLM的所有CIFS域身份验证都将失败
  2.    在 2023年6月13日- 安装Microsoft的CVE-2022-38023修补程序时的"默认强制实施"阶段之前、需要执行SU530所述的操作
这些阶段对ONTAP有何影响?

Microsoft阶段

发生了哪些变化

这对ONTAP 9有何影响?

我有哪些选择?

2023年7月-执行阶段

2023年7月11日发布的Windows更新将删除 设置 QuiqureSeal:1的功能

强制将QuiqureSeal设置为  2,将忽略注册表值的内容。

  • 升级到固定版本的 RFE 1514175
  • 确保客户端使用Kerberos身份验证将避免依赖Netlogon/NTLM域身份验证
设置了"RequieSeal":1后的ONTAP影响:
  • 域控制器可能会将以下事件ID 5838记录为 警告
设置了"RequieSeal":2后的ONTAP影响:
FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
  • EMS还会在以下事件中指明无可用DC。

secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (vs1) are currently accessible via the network.

  • 域控制器可能会将以下事件ID 5838记录为 错误。 
Log Name: System Source: NETLOGON Date: 2/22/2023 3:17:28 PM Event ID: 5838 Task Category: None Level: Error Keywords: Classic User: N/A Computer: dc1.demo.netapp.local Description: The Netlogon service encountered a client using RPC signing instead of RPC sealing. Machine SamAccountName: CIFSSERVERNAME

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.