Re: CVE-2022-38023

trackstar · ‎2023-06-22

Hi Guys,

We have a FAS2650 which is on version NetApp Release 9.3P18. We had planned to move away from this platform but unfortunately things have been slow. What version of ONTAP will resolve CVE-2022-38023?

We have applied the workaround on MS Domain Controller's end but noting any patch after July 11 will remove the workaround.

Thanks in advance,

TT

SpindleNinja · ‎2023-06-22

9.7P22 -is the lowest.

https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU2

TMACMD · ‎2023-06-22

See the article @SpindleNinja just posted.
from what I recall, the oldest versions that are patched are ONTAP 9.7(get the latest P release) and forward. On any release, get the latest P release

that 2650 is capable of being updated to 9.11

trackstar · ‎2023-06-22

I just finished a support call. They said 9.10.1 will fix the issue with the Microsoft CVE. So 9.7 will also?

TMACMD · ‎2023-06-22

Like I said, read the link.
it details everything including the versions it is fixed in. 9.7P22 being the lowest/oldest version of ONTAP

SpindleNinja · ‎2023-06-22

Yeah, sounds like they are just being proactive as 9.7 goes end of full term support in July this year.

9.7 - 31-Jul-2023.

I would go to 9.9.1 or 9.10.1 at a minimum.

SVHO · ‎2023-06-22

Finally was able to view the docs and talked to the core team. I am the original poster "trackstar".

Core team said 9.7 fixed the issue (I also saw the docs). I was told as long as we are in "Limited Support" we are ok. Our hardware has an EOL next May.

Questions, on version 9.3 , I remember downloaded the non encryption of Ontap (without NetApp Volume Encryption). If I were to download the encryption version this time, would I have any issues? I am in the U.S.

Thank you.

RossC · ‎2023-06-22

The encrypted or not encrypted version of ONTAP is not in reference to protocol level encryption. It's in reference to encryption of the data being written to the storage.

Most of our customers (in the US) will use the encryption version of ONTAP as that allows them to enable the data encryption features of ONTAP if they require it.

TMACMD · ‎2023-06-22

If you are in the us, you should just down load the encryption capable version. The other is listed for countries that are not allowed to have the encryption on their systems

SVHO · ‎2023-06-22

Thank you guys.

We had to set the the "RequireSeal:1" as a workaround after the June patch. Lets say we patched ONTAP to 9.7+ next week, we don't have to do anything else on the NetApp's end?

https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9

For the Microsoft DCs, we can do either?

1) We change the registry value to "RequireSeal:2" after applying the ONTAP next week and not wait til MS July's patches

or

2) Do nothing to the registry and wait til MS July's patch

SpindleNinja · ‎2023-06-23

If you patch both end, you should be good. That's how we all read the KBs.

SVHO · ‎2023-06-23

So running this command below, I see all of the connections using NTLMv2 (we disabled version v1 a long time ago). This is expected right? After both ends are patched, we will see only Kerberos?

vserver cifs session show -vserver xxx_svm1 -fields auth-mechanism,address,windows-user

vserver cifs security show -vserver xxx_svm1

Vserver: xxx_svm1

Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: none
SMB1 Enabled for DC Connections: system-default
SMB2 Enabled for DC Connections: system-default

SVHO · ‎2023-06-26

Nevermind, MS just enforced the connection to be more secure, not getting rid of it the protocol.

CVE-2022-38023

Portfolio Updates | NetApp ONAIR