[cifs-protocol] MSFT-CVE-2022-21925 MS-BKRP Performing Client-Side Wrapping of Secrets - TrackingID#2207200040005482

Jeff McCashland (He/him) jeffm at microsoft.com
Wed Jul 20 15:56:24 UTC 2022

[DocHelp to BCC, SR ID on Subject]

Hi metze,

Thank you for submitting your question. We have created SR 2207200040005482 to track this issue. 

I will research the issue and let you know what traces to collect. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org> 
Sent: Wednesday, July 20, 2022 5:55 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MSFT-CVE-2022-21925 MS-BKRP Performing Client-Side Wrapping of Secrets

Hi Dochelp,

I'm currently debugging a problem where client seem to have problems with our MS-BKRP implementation.

I found the following:

<18> Section The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems specified in [MSFT-CVE-2022-21925].  However, the fall back to server-side wrapping can be enabled by adding a registry key designed for this purpose.

In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries the same operation. If the retry fails, the client tries a BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is returned to the caller.

I have two questions:

1. what is the name and value is for the registry key in order to allow the fallback to server-side wrapping to be activated again.

2. Is your tracing tool also able to debug client side powershell scripts? My customer
    is able to trigger the problem with ConvertFrom-SecureString/ConvertTo-SecureString


More information about the cifs-protocol mailing list