[cifs-protocol] MSFT-CVE-2022-21925 MS-BKRP 220.127.116.11 Performing Client-Side Wrapping of Secrets - TrackingID#2207200040005482
Jeff McCashland (He/him)
jeffm at microsoft.com
Wed Jul 20 15:56:24 UTC 2022
[DocHelp to BCC, SR ID on Subject]
Thank you for submitting your question. We have created SR 2207200040005482 to track this issue.
I will research the issue and let you know what traces to collect.
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
From: Stefan Metzmacher <metze at samba.org>
Sent: Wednesday, July 20, 2022 5:55 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MSFT-CVE-2022-21925 MS-BKRP 18.104.22.168 Performing Client-Side Wrapping of Secrets
I'm currently debugging a problem where client seem to have problems with our MS-BKRP implementation.
I found the following:
<18> Section 22.214.171.124: The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems specified in [MSFT-CVE-2022-21925]. However, the fall back to server-side wrapping can be enabled by adding a registry key designed for this purpose.
In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries the same operation. If the retry fails, the client tries a BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is returned to the caller.
I have two questions:
1. what is the name and value is for the registry key in order to allow the fallback to server-side wrapping to be activated again.
2. Is your tracing tool also able to debug client side powershell scripts? My customer
is able to trigger the problem with ConvertFrom-SecureString/ConvertTo-SecureString
More information about the cifs-protocol