[cifs-protocol] MSFT-CVE-2022-21925 MS-BKRP Performing Client-Side Wrapping of Secrets

Stefan Metzmacher metze at samba.org
Wed Jul 20 12:55:21 UTC 2022

Hi Dochelp,

I'm currently debugging a problem where client seem to have problems with our MS-BKRP implementation.

I found the following:

<18> Section The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the 
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems specified in [MSFT-CVE-2022-21925].  However, the fall back to server-side 
wrapping can be enabled by adding a registry key designed for this purpose.

In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the 
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries the same operation. If the retry fails, the client tries a 
BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is 
returned to the caller.

I have two questions:

1. what is the name and value is for the registry key in order to allow the fallback to server-side wrapping to be activated again.

2. Is your tracing tool also able to debug client side powershell scripts? My customer
    is able to trigger the problem with ConvertFrom-SecureString/ConvertTo-SecureString


More information about the cifs-protocol mailing list