A Netlogon RPC elevation of privilege vulnerability exists in all versions of Windows which have not received the November 8, 2022 security updates. From Microsoft:
| The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023.
The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain, and relationships among domain controllers (DCs) and domains.
This update protects Windows devices from CVE-2022-38023 by default. For third-party clients and third-party domain controllers, update is in Compatibility mode by default and allows vulnerable connections from such clients. [...]
Important Starting June 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Compatibility mode setting. Compatibility mode will be removed in July 2023[.] [1] |
For any Windows domain which has received the April 11, 2023 security update, Microsoft is posting messages to the Event Log of the Domain Controller indicating the fact that a system is connecting to the domain in an insecure way. A Dell Unity system running at least version 5.0.6 but less than version 5.1.0 connecting to the domain generates Error 5838 in the Event Log:
| Event Log |
System |
| Event Type |
Error |
| Event Source |
NETLOGON |
| Event ID |
5838 |
| Event Text |
The Netlogon service encountered a client using RPC signing instead of RPC sealing. |
This message is intended to alert administrators that a system will eventually be blocked by a future security update.
On June 13, 2023, Microsoft will send out another security update which will enable Enforcement mode on all third-party domain-joined systems, and will block connections from all devices which do not support RPC sealing. While administrators cannot remove the restriction, they can move those third-party systems back to Compatibility mode.
The ability to place domains in Compatibility mode will be removed by a subsequent security update on July 11, 2023.
Fix:
As of Unity Operating Environment (OE) version 5.1.0 and higher, Dell fully supports RPC sealing as required by Microsoft. Version 5.1.0 was released on June 21, 2021. Upgrade to Unity OE version 5.1.0 or higher to fix this issue.
Workaround:
- When Enforcement mode is enabled in June 2023, administrators can move their third-party connections back to Compatibility mode in order to support Unity systems which have not been upgraded to 5.1.0 or higher.
- When Compatibility mode is removed in July 2023, there will be no further workaround available. Administrators have to follow the Fix above to re-establish communications with Dell Unity systems.