Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1569
Views
10
Helpful
4
Replies

Cisco ISE with AD CVE-2022-38023 patch

andrewswanson
Rising star
Rising star

‎11-23-2022 07:32 AM

Hi

I have an ISE 2.7 patch 7 distributed deployment that is bound to AD.

AD was recently patched with regards to CVE-2022-38023. Since then, the AD admins are reporting that the PSNs are appearing in their logs every few hours with "The Netlogon service encountered a client using RPC signing instead of RPC sealing)."

I've tried to replicate the issue with a Test User Authentication from ISE with Authentication Type set to Kerberos but this doesn't appear in the AD logs with the error. Has anyone else experienced this behaviour with ISE and AD patched for CVE-2022-38023?

Thanks
Andy

 


Microsoft Knowledgebase on issue is below:

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

 

0 Helpful
4 Replies 4

andrewswanson
Rising star
Rising star

‎11-30-2022 04:32 AM

The AD admins confirmed that the PSN generated event ID in their logs was actually:

event id: 5840: The Netlogon service created a secure channel with a client with RC4.


I found the following cisco ISE bug:

https://bst.cisco.com/bugsearch/bug/CSCvv82074

 

From my reading of both the Cisco bug and the MS knowledgebase article, it looks like I'll run into the Cisco bug when the AD CVE-2022-38023 patch goes into its enforcement phase in April 2023. I've opened a TAC case to confirm.

Andy

0 Helpful

andrewswanson
Rising star
Rising star

‎12-05-2022 07:23 AM

Contacted TAC - Cisco were already aware of this issue. Enhancement below was logged to deal with this.

https://bst.cisco.com/bugsearch/bug/CSCvo60450

ISE 2.x currently only supports RC4 with AD - the above enhancement changes this to AES256. Will probably upgrade to ISE 3.x rather than wait for the 2.x patch.

Andy

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to andrewswanson

‎12-06-2022 07:08 PM - edited ‎12-10-2022 11:58 AM

> ISE 2.x currently only supports RC4 with AD...

This statement is incorrect. AFAIK the issue is usually due to some element in the AD infrastructure is still using RC4 and tells ISE to communicate with RC4 as the etype. Customers thought the issue would have gone away if ISE did not support RC4 at all.

These articles might interest you:

andrewswanson
Rising star
Rising star
In response to hslai

‎12-07-2022 01:04 AM

Thanks for the clarification and links - much appreciated.

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents