SU501: [Impact: High] Impact of Microsoft CVE-2021-42287 fixes on ONTAP 9

Views:: 6,393

Last Updated:: 5/5/2023, 8:19:49 PM

免责声明：
联想凌拓科技有限公司（“Lenovo NetApp”）不对本页面中提供的任何信息或建议的准确性、可靠性或可维护性，或通过使用这些信息或遵守本文中提供的建议可能获得的任何结果，提供任何陈述或保证。本页面中的信息是按原样分发的，使用这些信息或实施本文中的任何建议或技术是客户的责任，取决于客户评估这些信息并将其整合到客户的运营环境中的能力。本页面及其包含的信息只能与本页面中讨论的 NetApp 产品结合使用。在任何情况下，Lenovo NetApp 均不承担因与使用或执行本页面上提供的信息有关的或导致的任何特殊的、间接的或随之而来的任何损失，或者因使用、数据或利润损失（无论是否在合同履行中）、疏忽或其它侵权行为导致的任何损失。

更多最新信息请参考 NetApp 官网支持公告

Summary

[Impact High: Possible loss of CIFS data access]

Microsoft April 2022 Windows update for Active Directory (AD) servers to address CVE-2021-42287 might cause the CIFS password change operation from ONTAP 9 to fail.

This is tracked by Bug 1465232. There are several fixed versions of ONTAP available. (see the Solution section for details).

Issue Description

In April 2022, Microsoft released a patch to its CVE-2021-42287 solution for Active Directory (AD) servers, resolving an issue with third-party vendors issuing machine account password sets/resets when privilege attribute certificate (PAC) enforcement was enabled (PacRequestorEnforcement = 2). The issue is not present if only the November 2021 Windows update is in place.

This patch impacted ONTAP’s ability to change its password or enable AES on the machine account, regardless of the PacRequestorEnforcement setting. This is tracked as Bug 1465232 - CIFS password change operation might fail. NetApp has resolved this issue with a patch to ONTAP.

Symptom

The followings commands and operations are impacted:

vserver cifs domain password change
vserver cifs domain password schedule
vserver cifs security modify -is-aes-encryption-enabled true

When these commands are run, these operations can silently fail, where appearances are that the commands succeeded. When viewing the event log (event log show), the following event is shown:
event log show indicates the following:

Sat Apr 16 03:00:00 +0800 [cluster1-01: secd: secd.kerberos.preauth:error]: Kerberos pre-authentication failure due to out-of-sync machine account password for vserver (svm1).

CIFS client access fails with secd.log error KRB5KDC_ERR_PREAUTH_FAILED

Workaround

Instead of using cifs domain password change CLI command to change the password of the CIFS server's machine account, run the cifs domain password reset command.

The preferred solution is to upgrade to a version of ONTAP where Bug 1465232 is fixed.

Solution

Upgrade to an ONTAP release that has the fix for Bug 1465232. These include:

9.6P18 (released)
9.7P19 (released)
9.8P12 (released)
9.9.1P9 (released)
9.10.1P3 (released)
9.11.1 (released)

Additional Information

MSRC Advisory for CVE-2021-42287 - Active Directory Domain Services Elevation of Privilege Vulnerability
Microsoft KB5008380—Authentication updates (CVE-2021-42287)
Microsoft April 2022 patch update: April 12, 2022—KB5012670 (Monthly Rollup)

NetApp Knowledge Base:

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.