{"id":29395,"date":"2023-04-22T00:25:31","date_gmt":"2023-04-21T22:25:31","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=29395"},"modified":"2023-04-21T14:59:05","modified_gmt":"2023-04-21T12:59:05","slug":"windows-april-2023-updates-netlogon-und-kerberos-protokoll-anderungen-es-gibt-probleme","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/04\/22\/windows-april-2023-updates-netlogon-und-kerberos-protokoll-anderungen-es-gibt-probleme\/","title":{"rendered":"Windows April 2023 Updates: Netlogon- and Kerberos protocol changes, there seems to be issues"},"content":{"rendered":"

\"Windows\"[German<\/a>]Microsoft has indeed postponed its schedules for phased adjustments to the Netlogon protocol (due to CVE-2022-38023) and the Kerberos protocol from April 11, 2023 to June 13, 2023. But with the Windows update of April 11, 2023, the option to disable RPC sealing in the registry has already been removed. In the meantime, the first problems are being reported and a Microsoft employee has just asked administrators to test the systems, as I saw on Twitter.<\/p>\n

<\/p>\n

\"\"In November 2022, Microsoft had initiated a phased change to the Netlogon and Kerberos protocols with its security updates, which should last until October 2023. The reason is three vulnerabilities (CVE-2022-38023 and CVE-2022-37967) in Windows. Administrators must respond accordingly to ensure that these changes are reflected in network communications (see my blog post Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol \u2013 causing issues<\/a>). The next change should take effect on April 11, 2023.<\/p>\n

April 2023 security updates<\/h2>\n

In April 2023, Microsoft had actually planned the next step by activating the so-called enforcement mode for RPC sealing. However, Microsoft postponed this step to June 11, 2023, as can be read in the support article KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023<\/a> and in the article KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a>. It says there:<\/p>\n

April 5, 2023:<\/b> Moved the \"Enforcement by Default\" phase of the registry key from April 11, 2023 to June 13, 2023 in the \"Timing of updates to address CVE-2022-38023\" section.<\/p><\/blockquote>\n

AHowever, support post KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023<\/a> also states that the April 11, 2023 security update (i.e., April 2023 patchday) initiates the Initial Inforcement phase.<\/p>\n

The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0<\/b> to the RequireSeal<\/b> registry subkey.<\/p><\/blockquote>\n

If the April 2023 update is installed on Windows, RPC sealing cannot be disabled by setting the RequireSeal registry value to 0. For the KrbtgtFullPacSignature key, the enforcement mode does not become active until June 13, 2023 (see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a>). However, the April 2023 patches may already cause disruptions to KrbPAC & RPCNetLogonSeal.<\/p>\n

Disruption due to April 2023 update?<\/h2>\n

German blog reader Florian T. already emailed me about potential problems related to the protocol changes on April 12, 2023 and wrote.<\/p>\n

Hello Mr. Born,<\/p>\n

a tip for an article: The patch for Kerberos PAC signatures goes into its third phase and enforces the Kerberos PAC signature (krb pac shutdown is disabled). For analysis of where this is missing, see Using Windows Eventlog Eventid 43 or 44.<\/p>\n

The patch that enforces RPC Netlogon Sealing and removes RPC Netlogon Signing was also included. Can be analyzed in advance by Windows Eventlog Eventids 5838-5841.<\/p>\n

Some vendors have already published warnings for outages, e.g. Netapp and Ivanti vpn (formerly pulsevpn).<\/p><\/blockquote>\n

\"Netlogon<\/p>\n

The screenshot above shows the excerpt from one of the following Microsoft support articles Florian links to in his mail (thanks for that).<\/p>\n