{"id":27632,"date":"2022-11-10T11:06:34","date_gmt":"2022-11-10T10:06:34","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=27632"},"modified":"2023-06-21T15:06:12","modified_gmt":"2023-06-21T13:06:12","slug":"updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/11\/10\/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues\/","title":{"rendered":"Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol &#8211; causing issues"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/11\/10\/november-2022-updates-fr-windows-nderungen-am-netlogon-und-kerberos-protokoll\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Another small addendum to the November 2022 patchday. With the security updates of November 8, 2022, Microsoft has also initiated a gradual change to the Netlogon and Kerberos protocols. The whole thing will be carried out in several stages until October 2023. The reason is three vulnerabilities (CVE-2022-38023 and CVE-2022-37967) in Windows 8.1 to Windows 11 and the server counterparts. Administrators must react accordingly to ensure that these changes are taken into account in network communication. <strong>Addendum:<\/strong> Microsoft has released an out-of-band-update to fix the issue &#8211; see\u00a0<a href=\"https:\/\/borncity.com\/win\/2022\/11\/18\/out-of-band-updates-fixes-kerberos-authentication-issues-on-dcs-nov-17-2022\/\">Out-of-band updates fixes Kerberos authentication issues on DCs (Nov. 17, 2022)<\/a>.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg01.met.vgwort.de\/na\/6ecfff66b17441c5805d0a418c95cd31\" alt=\"\" width=\"1\" height=\"1\" \/>German blog reader Oli mentioned (thanks) within <a href=\"https:\/\/www.borncity.com\/blog\/2022\/11\/09\/microsoft-security-update-summary-8-november-2022\/#comment-135600\" target=\"_blank\" rel=\"noopener\">within this comment<\/a> the topic, that has been also summarized within <a href=\"https:\/\/www.heise.de\/forum\/heise-online\/Kommentare\/Patchday-Microsoft-Attacken-auf-sechs-Luecken-Exchange-Patches-endlich-da\/November-Updates-auf-Domain-Controllern\/thread-7221838\/#posting_41868844\" target=\"_blank\" rel=\"noopener\">this German forum post<\/a>.<\/p>\n<h2>Vulnerabilities in Windows<\/h2>\n<p>The November 8, 2022 Windows updates also address vulnerabilities related to security bypass and elevation of privilege through Privilege Attribute Certificate (PAC) signatures. The security updates in question address Kerberos vulnerabilities where an attacker can digitally alter PAC signatures to elevate privileges. The following Windows versions are affected:<\/p>\n<ul>\n<li>Windows 8.1<\/li>\n<li>Windows RT 8.1<\/li>\n<li>Windows Server 2012<\/li>\n<li>Windows Server 2012 R2<\/li>\n<li>Windows 10\u00a0 Version RTM bis 22H2<\/li>\n<li>Windows 11 Version 22H1 &#8211; 22H2<\/li>\n<li>Windows Server 2016 &#8211; 2022<\/li>\n<li>Windows Server 2022 Azure Stack HCI Version 22H2<\/li>\n<li>Windows 11 SE Version 21H2<\/li>\n<\/ul>\n<p>where the above CVEs refer partly to Windows clients and servers, and partly to Windows servers only.\u00a0 Microsoft has published various support articles on this.<\/p>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" target=\"_blank\" rel=\"noopener\">KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25\" target=\"_blank\" rel=\"noopener\">KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d\" target=\"_blank\" rel=\"noopener\">KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966<\/a><\/li>\n<\/ul>\n<p>Which Windows versions are affected by which CVE can be found in the KB articles linked above.<\/p>\n<h2>Installation procedure<\/h2>\n<p>Microsoft writes that the affected Windows updates must be installed on all devices, including Windows domain controllers, to protect your environment. It is important to note that all domain controllers in a domain must be updated first. Only then may you switch to enforced mode via update. Microsoft suggests the following procedure:<\/p>\n<ol>\n<li>Update the Windows domain controllers with a Windows update that was released on or after November 8, 2022.<\/li>\n<li>Put the Windows domain controller into audit mode by using the<a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#registry5020805\" target=\"_blank\" rel=\"noopener\"> registry entries here<\/a>.<\/li>\n<li>Monitor the events that are stored in audit mode to secure your environment.<\/li>\n<li>AEnable enforcement mode to fix <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-37967\" target=\"_blank\" rel=\"noopener\">CVE-2022-37967<\/a> n your environment.<\/li>\n<\/ol>\n<p>By default, Step 1 does not fix the security issues in CVE-2022-37967 for Windows devices. To fully mitigate the security issue for all devices, you must enter scan mode (as described in Step 2) and then enter force mode (as described in Step 4) on all Windows domain controllers as soon as possible. In step 2, the following registry key is:<\/p>\n<pre>HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc<\/pre>\n<p>by adding the DWORD value <em>KrbtgtFullPacSignature<\/em>. The value can assume the following states:<\/p>\n<ul>\n<li><b>0<\/b> \u2013 Disabled<\/li>\n<li><b>1<\/b> \u2013 New signatures are added, but not verified. (Default setting)<\/li>\n<li><b>2<\/b> &#8211; Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.<\/li>\n<li><b>3<\/b> &#8211; Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.<\/li>\n<\/ul>\n<p>Starting in July 2023, enforcement mode will be enabled on all Windows domain controllers, blocking vulnerable connections from non-compliant devices.\u00a0 At that time, you can no longer disable the update, but you can switch back to the Verification Mode setting. Verification mode will be removed in October 2023, as described in the Timeline of updates to address Kerberos vulnerability CVE-2022-37967.<\/p>\n<p>Microsoft used a staged rollout to mitigate the security issues in CVE-2022-37967 for Windows devices. Here are the dates:<\/p>\n<ul>\n<li>November 8, 2022 &#8211; First deployment phase<\/li>\n<li>December 13, 2022 &#8211; Second deployment phase<\/li>\n<li>April 11, 2023 &#8211; Third deployment phase<\/li>\n<li>July 11, 2023 &#8211; First Enforcement Phase<\/li>\n<li>October 10, 2023 &#8211; Full Enforcement Phase<\/li>\n<\/ul>\n<p>Details and registration entries can be found in the three KB articles linked above.<\/p>\n<h2>Stop: Issues with gMSA and KDC<\/h2>\n<p><span style=\"color: #000000;\">German blog reader <\/span>contacted me by e-mail and pointed to the following <a href=\"\/\/twitter.com\/fabian_bader\/status\/1590339101580222464\" target=\"_blank\" rel=\"noopener\">Twitter post<\/a>, where issues are addressed.<\/p>\n<p><a href=\"https:\/\/twitter.com\/fabian_bader\/status\/1590339101580222464\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Kerberos Issues after Nov. 2022 updates\" src=\"https:\/\/i.imgur.com\/YCyFSd2.png\" alt=\"Kerberos Issues after Nov. 2022 updates\" \/><\/a><\/p>\n<p>Kerberos pre-authentication fails because Kerberos-DC has no support for the encryption type. This only occurs if the <em>msDS-SupportedEncryptionTypes<\/em> property is set. The supported Encryption-Type flags are documented <a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-kile\/6cfc7b50-11ed-4b4d-846d-6f08f0812919\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p><a href=\"https:\/\/twitter.com\/fabian_bader\/status\/1590355597245186049\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Kerberos Issues after Nov. 2022 updates\" src=\"https:\/\/i.imgur.com\/I3vapWy.png\" alt=\"Kerberos Issues after Nov. 2022 updates\" \/><\/a><\/p>\n<p>Fabian Bader gives more hints in follow-up tweet (see above), and there is a larger discussion.<\/p>\n<p><a href=\"https:\/\/twitter.com\/fabian_bader\/status\/1590428401310912512\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Kerberos Issues after Nov. 2022 updates\" src=\"https:\/\/i.imgur.com\/tbhTlZf.png\" alt=\"Kerberos Issues after Nov. 2022 updates\" \/><\/a><\/p>\n<h3>Test script to identify AD objects<\/h3>\n<p>Fabian Bader posted a link on <a href=\"https:\/\/twitter.com\/fabian_bader\/status\/1590432854399676416\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> to <a href=\"https:\/\/gist.github.com\/f-bader\/4fc517bc6fe61a3d6cf534958e0c8003\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>, where he published a PowerShell script. This script can be used to identify any AD object potentially affected by the CVE-2022-37966 bug.<\/p>\n<pre>Get-ADobject -LDAPFilter \"(&amp;(!(msDS-SupportedEncryptionTypes:1.2.840.113556.1.4.803:=4))(|(msDS-SupportedEncryptionTypes:1.2.840.113556.1.4.803:=16)(msDS-SupportedEncryptionTypes:1.2.840.113556.1.4.803:=8)))\" -Properties msDS-SupportedEncryptionTypes | Select DistinguishedName, msDS-SupportedEncryptionTypes<\/pre>\n<p>He writes about this: <em>Setting it to 28 (RC4+AES128+AES256) may be a workaround, but test this or hold off on patching.<\/em> Anyone else with this problem?<\/p>\n<blockquote><p><strong>Addendum<\/strong>: See the comment below, that the detection query form the script above should have 16 instead of 6. The author\u00a0 of the original script has finxed that, and I've amended the code above as well.<\/p><\/blockquote>\n<h3>Microsoft investigates the problem<\/h3>\n<p>Meanwhile, the problem has also reached Microsoft. Microsoft employee Steve Syfuhs has already responded on <a href=\"https:\/\/twitter.com\/SteveSyfuhs\/status\/1590417822030917632\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> and writes:<\/p>\n<blockquote><p>Not official guidance, but we're seeing reports where certain auths are failing when users have their msDS-SupportedEncryptionTypes attribute explicitly being set to AES only (decimal 24, hex 0x18).<\/p>\n<p>We have another update to the KB pending, with official guidance and cause of the issue. More to follow.<\/p><\/blockquote>\n<p>Currently, administrators in the domain controller area should be cautious with the installation of the updates.<\/p>\n<blockquote><p>On reddit.com there is <a href=\"https:\/\/www.reddit.com\/r\/sysadmin\/comments\/ypbpju\/patch_tuesday_megathread_20221108\/\" target=\"_blank\" rel=\"noopener\">this mega-thread<\/a> about problems (thanks to 1ST1 for the link), where you can find hints about the Kerberos problem &#8211; including integration of Redhat Linux.<\/p><\/blockquote>\n<p>Microsoft has confirmed Kerberos authentication issues after Nov. 2022 update &#8211; see\u00a0<a href=\"https:\/\/borncity.com\/win\/2022\/11\/14\/microsoft-confirms-kerberos-authentication-issues-after-nov-2022-updates\/\">Microsoft confirms Kerberos authentication issues after Nov. 2022 updates<\/a>.<\/p>\n<h2>Some confusion from users<\/h2>\n<p>Some users are pulling their hair, due to the issue and some issues with the values to be enteres. &gt;Leo de Groot\u00a0<span class=\"says\"><a href=\"https:\/\/borncity.com\/win\/2022\/11\/10\/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues\/#comment-15536\" target=\"_blank\" rel=\"noopener\">says<\/a>:<\/span><\/p>\n<blockquote><p>We have been facing the exact same issue.<\/p>\n<p>Based in several articles in forums and the update information from Microsoft, we are currently testing if a value of 0x1c or 0x3c will work for the following registry value introduced in the update, that actually limits the default supported encryption types:<\/p>\n<pre>HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc<\/pre>\n<p>DefaultDomainSupportedEncTypes (DWORD)<br \/>\nvalue 0x27<\/p>\n<p>0x27 would only allow non AES encryption types, which would result in no available encryption types in Kerberos\u2026<\/p><\/blockquote>\n<p>Blog reader <cite class=\"fn\">Penn Guine<\/cite> wrote in a feedback, that the registry value wasn't present on the DC's after the update. He\u00a0suspectes this led the KDC to believe no encryption types were trusted. And another admin wrote \"<em>What a nightmare. I've been pulling my hair for the last several hours dealing with authentication failures from our firewall service accounts. Found this page and disabled explicit AES settings on the accounts and things are working again. It's frustrating that it's easier to find this on third party site than it is from Microsoft.<\/em>\"<\/p>\n<p><strong>Similar articles:<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/02\/microsoft-office-updates-1-november-2022\/\">Microsoft Office Updates (November 1, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/microsoft-security-update-summary-november-8-2022\/\">Microsoft Security Update Summary (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/patchday-windows-10-updates-november-8-2022\/\">Patchday: Windows 10-Updates (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/patchday-windows-11-server-2022-updates-november-8-2022\/\">Patchday: Windows 11\/Server 2022-Updates (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/windows-7-server-2008-r2-windows-8-1-server-2012-r2-updates-november-8-2022\/\">Windows 7\/Server 2008 R2; Windows 8.1\/Server 2012 R2: Updates (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/10\/patchday-microsoft-office-updates-november-8-2022\/\">Patchday: Microsoft Office Updates (November 8, 2022)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Another small addendum to the November 2022 patchday. With the security updates of November 8, 2022, Microsoft has also initiated a gradual change to the Netlogon and Kerberos protocols. The whole thing will be carried out in several stages until &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/11\/10\/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1319],"tags":[],"class_list":["post-27632","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/27632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=27632"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/27632\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=27632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=27632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=27632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}