Netlogon RPC Elevation of Privilege Vulnerability
Priority: ● High
Status: In Progress- Undergoing Analysis
First Published: 21 February 2023
Advisory Version: [1.0]
References: CVE-2022-38023
Summary
The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing.
New netlogin vulnerability:
Netlogon RPC Elevation of Privilege Vulnerability:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023
Microsoft's fix for this vulnerability is to mandate the use of RPC sealing which some products do not support.
Microsoft is introducing this change in 3 stages -
November 8, 2022 - Initial deployment phase
The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients.
By default, devices will be set in Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.
April 11, 2023 - Initial enforcement phase
The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal.
RequireSeal will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode. Vulnerable connections from all clients including third-parties will be denied authentication.
July 11, 2023 - Enforcement phase
The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal subkey. This enables the Enforcement phase of CVE-2022-38023.
Affected Products
Impacted Products
The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by the requirement to use RPC sealing. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.
| Product | Notes/Fixed Release Version |
| Content Products |
| Data Ingestor | HDI Version 5 needs to upgrade as it is does not support RPC sealing. Upgrade to 6.x. |
| Network Attached Storage | |
| HNAS 5000 Series | Upgrade to 14.6 available in April, click for more detail |
| HNAS 4000 Series | Upgrade to 14.6 available in April, click for more detail |
| HNAS 30x0 Series | Upgrade to 14.6 available in April, click for more detail |
| Virtual Storage Platform Gx00/Fx00 NAS Modules | Upgrade to 14.6 available in April, click for more detail |
| Virtual Storage Platform Nx00 NAS Modules | Upgrade to 14.6 available in April, click for more detail |
Products Confirmed Not Impacted
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as impacted as they continue to be evaluated for risk.
| Product | Notes/Fixed Release Version |
| Content Products |
| Content Platform | Not Impacted |
| Content Intelligence | Not Impacted |
| Content Platform S Series | Not Impacted |
| HCP for Cloud Scale | Not Impacted; nor will CS be affected as client when interacting with our customer’s Active Directory. |
| Content Platform Anywhere | Not Impacted |
| Content Platform Gateway | Not Impacted. HCP Gateway should be resolved with MS Windows Update; does not require a change in the HCP Gateway code. |
Recommended Actions
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.