topic Re: Cisco ISE with AD CVE-2022-38023 patch in Network Access Control

Cisco ISE with AD CVE-2022-38023 patch

andrewswanson — Wed, 23 Nov 2022 15:32:42 GMT

I have an ISE 2.7 patch 7 distributed deployment that is bound to AD.

AD was recently patched with regards to CVE-2022-38023. Since then, the AD admins are reporting that the PSNs are appearing in their logs every few hours with "The Netlogon service encountered a client using RPC signing instead of RPC sealing)."

I've tried to replicate the issue with a Test User Authentication from ISE with Authentication Type set to Kerberos but this doesn't appear in the AD logs with the error. Has anyone else experienced this behaviour with ISE and AD patched for CVE-2022-38023?

Thanks
Andy

Microsoft Knowledgebase on issue is below:

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Re: Cisco ISE with AD CVE-2022-38023 patch

andrewswanson — Wed, 30 Nov 2022 12:32:51 GMT

The AD admins confirmed that the PSN generated event ID in their logs was actually:

event id: 5840: The Netlogon service created a secure channel with a client with RC4.

I found the following cisco ISE bug:

https://bst.cisco.com/bugsearch/bug/CSCvv82074

From my reading of both the Cisco bug and the MS knowledgebase article, it looks like I'll run into the Cisco bug when the AD CVE-2022-38023 patch goes into its enforcement phase in April 2023. I've opened a TAC case to confirm.

Andy

Re: Cisco ISE with AD CVE-2022-38023 patch

andrewswanson — Mon, 05 Dec 2022 15:23:43 GMT

Contacted TAC - Cisco were already aware of this issue. Enhancement below was logged to deal with this.

https://bst.cisco.com/bugsearch/bug/CSCvo60450

ISE 2.x currently only supports RC4 with AD - the above enhancement changes this to AES256. Will probably upgrade to ISE 3.x rather than wait for the 2.x patch.

Andy

Re: Cisco ISE with AD CVE-2022-38023 patch

hslai — Sat, 10 Dec 2022 19:58:11 GMT

> ISE 2.x currently only supports RC4 with AD...

This statement is incorrect. AFAIK the issue is usually due to some element in the AD infrastructure is still using RC4 and tells ISE to communicate with RC4 as the etype. Customers thought the issue would have gone away if ISE did not support RC4 at all.

These articles might interest you:

Re: Cisco ISE with AD CVE-2022-38023 patch

andrewswanson — Wed, 07 Dec 2022 09:04:39 GMT

Thanks for the clarification and links - much appreciated.

Andy

Re: Cisco ISE with AD CVE-2022-38023 patch

samdejongh — Wed, 08 Feb 2023 15:29:23 GMT

Hi andrewswanson,

We have the exact same issue as reported above, I've see the link to this bug : https://bst.cisco.com/bugsearch/bug/CSCvo60450

But as far as I can tell there is no version of ISE that is currently listed as a known fixed release. How did you manage to get this resolved?

Many thanks in advance.

Re: Cisco ISE with AD CVE-2022-38023 patch

andrewswanson — Wed, 08 Feb 2023 15:44:20 GMT

Hi - Still not resolved this as TAC recommended to upgrade to 3.X. will hopefully get this done in the next few months.

cheers

Andy

Re: Cisco ISE with AD CVE-2022-38023 patch

Niko99 — Tue, 21 Mar 2023 11:57:07 GMT

Hi hslai,

so if I understand it correctly. The Cisco ISE 2.7 (Patch8 in my Case) should still be able to communicate with the AD if the AD-Element uses the AES etype and tells the ISE to comunicate with it ?

Kind Regards

Re: Cisco ISE with AD CVE-2022-38023 patch

maziek — Fri, 24 Mar 2023 11:42:13 GMT

I disabled RC4 in AD object for one of my ISE but eventID 5840: The Netlogon service created a secure channel with a client with RC4. still are generating.
ISE version 003.000(000.458)

Krzysztof