ONTAP Discussions

Microsoft CVE-2022-38023 and NetApp

Baiju625
5,336 Views

Hi Gurus,

 

We have 8.2.5P5 7-mode CIFS and we are in the process of migrating to CDOT.  Few HA pairs already migrated.  We use SMB/CIFS file shares.

 

Microsoft CVE-2022-38023 

Per below KB 

https://kb.netapp.com/Legacy/ONTAP/7Mode/Does_CVE-2022-38023_have_any_impact_to_Data_ONTAP_7-Mode
Does CVE-2022-38023 have any impact to Data ONTAP 7-Mode
Yes, when the filer(vfiler) attempts to pass NTLM authentication over NETLOGON, the domain controller once Enforcement Phase is set, will return Access Denied

 

When I check the CIFS sessions on the CDOT (for those migration completed to ONTAP 9.11P5), I see that all users are connected using Keberos authentication.  I like to understand following, please help.

 

1) If all users are connecting using kerberos then this CVE enforcement by Microsoft in July-11 will not have any impact on CIFS access on  7-mode vfilers correct? 

 

2) Does the vfiler itself (not the domain users accessing vfiler) uses Netlogon actively in the background to communicate with AD for keeping the CIFS server up and running? Or it just used once while CIFS services are setup on the vfiler?

 

3) If yes, how can I determine whether it uses NTLM or Kerberos for the scenario in question-2?

 

4) Is the 7-mode 8.2.5 vfiler capable of sealing the NetLogon RPC with out any configuration changes on NetApp  when communicating with AD via kerberos (if yes to question 2) after July-11?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

AlexDawson
5,023 Views

1 - No

2 - Yes

3 - It is vFiler to AD that is the issue, not client to vFiler.

4 - No

 

The short answer to your question is that we believe CIFS with AD auth will stop working for 7-mode after the enforcement phase is active. 

 

You may look at local users and groups for smaller systems, but the best time to upgrade from 7-Mode was starting in 2015 and the second best time is now. It has been a dead product for years.

View solution in original post

3 REPLIES 3

AlexDawson
5,024 Views

1 - No

2 - Yes

3 - It is vFiler to AD that is the issue, not client to vFiler.

4 - No

 

The short answer to your question is that we believe CIFS with AD auth will stop working for 7-mode after the enforcement phase is active. 

 

You may look at local users and groups for smaller systems, but the best time to upgrade from 7-Mode was starting in 2015 and the second best time is now. It has been a dead product for years.

Baiju625
4,833 Views

Thank you Alex!

JohnK
3,715 Views

While the only solution for Clustered Data ONTAP/ONTAP 9 is to upgrade to a release of ONTAP that supports Netlogon RPC sealing (as required by Microsoft to address CVE-2022-38023 - see Support Bulletin SU530 for details), 7-Mode "takes advantage" of the fact that the CIFS authentication client code is old enough that it can utilize a Microsoft workaround intended for a different issue to negate the requirement.

See https://kb.netapp.com/Legacy/ONTAP/7Mode/Does_CVE-2022-38023_have_any_impact_to_Data_ONTAP_7-Mode

 

NetApp would however love to see customers with 7-Mode move to a more recent (and supported) ONTAP solution.

Public