RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563)





  • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

    FAQ

    In addition to installing the updates for CVE-2017-8563 are there any further steps I need to carry out to be protected from this CVE?
    Yes. To make LDAP authentication over SSL/TLS more secure, administrators need to create a LdapEnforceChannelBinding registry setting on a Domain Controller. For more information about setting this registry key, see Microsoft Knowledge Base article 4034879.

    https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry



  • This is also very important information to highlight:

    Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

    To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

    To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).



  • @irj said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

    This is also very important information to highlight:

    Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

    To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

    To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

    My questions: After installing the security update on Domain Controllers and creating the LdapEnforceChannelBinding registry, do clients have to install the security update if the LdapEnforceChannelBinding registry value DWORD on the DCs were set to 1 (enabled, when supported)? Or only if it was set to value 2 (enabled, always)? I didn't know if clients needed the security update no matter what the DWORD value was set to after creating the LdapEnforceChannelBinding reg key...



  • @jsecurity2017 said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

    @irj said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

    This is also very important information to highlight:

    Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

    To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

    To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

    My questions: After installing the security update on Domain Controllers and creating the LdapEnforceChannelBinding registry, do clients have to install the security update if the LdapEnforceChannelBinding registry value DWORD on the DCs were set to 1 (enabled, when supported)? Or only if it was set to value 2 (enabled, always)? I didn't know if clients needed the security update no matter what the DWORD value was set to after creating the LdapEnforceChannelBinding reg key...

    Yes you absolutely still need to patch. If you look at the associated kb, more than that particular cve is being fixed.

    https://support.microsoft.com/en-us/help/4025338/windows-10-update-kb4025338



  • @irj

    Hello IRJ! The main thing I am getting at is if you patch the DCs and create the LdapEnforceChannelBinding registry key on the DCs, will things break in the environment if the clients haven't installed the patch yet?



  • @jsecurity2017 said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

    @irj

    Hello IRJ! The main thing I am getting at is if you patch the DCs and create the LdapEnforceChannelBinding registry key on the DCs, will things break in the environment if the clients haven't installed the patch yet?

    The article that IRJ linked to said yes, things MAY break.



  • @dashrender

    If clients require the patch first before installing on the DC and making the registry change it should be more clear. https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry states that "Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled."

    Then it states that "To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. See Microsoft Security Advisory 973811 for more details."

    I was thinking, if you set the DWORD to value of 1 then clients may not need the patch right away.



  • I definitely see what you're saying - that's why the may is there.

    I guess my bigger question is - why are you not deploying the cumulative updates ASAP? As IRJ said, there are many other fixes besides this one in this update.



  • @jsecurity2017 said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

    @dashrender

    If clients require the patch first before installing on the DC and making the registry change it should be more clear. https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry states that "Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled."

    Then it states that "To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. See Microsoft Security Advisory 973811 for more details."

    I was thinking, if you set the DWORD to value of 1 then clients may not need the patch right away.

    So I'd apply the patch on all clients. Then audit using Powershell and/or a vulnerability scannet to verify it is installed on all systems. Then only then would I look at Testing this change. Why even touch the reg key until you're sure it's installed everywhere.

    They are referring to 2008 (not R2) is EOL so hopefully it's no longer in your environment.



  • @JSecurity2017

    Security guys never want to see any vulnerabilities, but we know for business to function this isn't possible. This is espeically true when we look at something like this that was released two days ago. The best case scenario is having this deployed in a month when you consider patching maintenance windows, missed servers and workstations, onesies and twosies that need manual installs, etc.

    I would not break production to get rid of a vulnerability that I am going to assume at least 99% of companies are having at the moment. When you consider the timeframe of the actual patching, testing, deployment, etc. We are probably going to see this for a long time. The impact of breaking LDAP is generally HUGE and affects nearly every single user and system in the company.



  • Sometimes of times we need to weigh the actual chance of threat vs the potential impact in our environment.



  • @irj

    Hey everyone thanks for the input. It looks like we may just deploy the patch everywhere, wait until a majority of the clients install the patch, then create the registry key on the DCs. Also, since the reg change does not require a reboot you can switch values on the fly with ease.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.