[cifs-protocol] MSFT-CVE-2022-21925 MS-BKRP 3.2.4.1 Performing Client-Side Wrapping of Secrets
Stefan Metzmacher
metze at samba.org
Wed Jul 20 12:55:21 UTC 2022
Hi Dochelp,
I'm currently debugging a problem where client seem to have problems with our MS-BKRP implementation.
I found the following:
<18> Section 3.2.4.1: The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems specified in [MSFT-CVE-2022-21925]. However, the fall back to server-side
wrapping can be enabled by adding a registry key designed for this purpose.
In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries the same operation. If the retry fails, the client tries a
BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is
returned to the caller.
I have two questions:
1. what is the name and value is for the registry key in order to allow the fallback to server-side wrapping to be activated again.
2. Is your tracing tool also able to debug client side powershell scripts? My customer
is able to trigger the problem with ConvertFrom-SecureString/ConvertTo-SecureString
Thanks!
metze
More information about the cifs-protocol
mailing list