Summary
The July 13, 2021 Windows updates and later Windows updates add protections for CVE-2021-33757.
After installing the July 13, 2021 Windows updates or later Windows updates, Advanced Encryption Standard (AES) encryption will be the preferred method on Windows clients when using the legacy MS-SAMR protocol for password operations if AES encryption is supported by the SAM server. If AES encryption is not supported by the SAM server, fallback to the legacy RC4 encryption will be allowed.
Changes in CVE-20201-33757 are specific to the MS-SAMR protocol and are independent of other authentication protocols. MS-SAMR uses SMB over RPC and named pipes. Although SMB also supports encryption, it is not enabled by default. By default, the changes in CVE-20201-33757 are enabled and provide additional security at the SAM layer. No additional configuration changes are required beyond installing protections for CVE-20201-33757 included in the July 13, 2021 Windows updates or later Windows updates on all supported versions of Windows. Unsupported versions of Windows should be discontinued or upgraded to a supported version.
Note CVE-2021-33757 only modifies how passwords are encrypted in-transit when using specific APIs of the MS-SAMR protocol and specifically DO NOT modify how passwords are stored at rest. For more information about how passwords are encrypted at rest in Active Directory and locally in the SAM Database (registry), see Passwords Overview.
More information
-
Password change pattern
The updates modify password change pattern of the protocol by adding a new password change method that will use AES.
Old Method with RC4
New Method with AES
SamrUnicodeChangePasswordUser2 (OpNum 55)
SamrUnicodeChangePasswordUser4 (OpNum 73)
For complete list of MS-SAMR OpNums, see Message Processing Events and Sequencing Rules.
-
Password set pattern
The updates modify password set pattern of the protocol by adding two new User Information Classes to the SamrSetInformationUser2 (Opnum 58) method. You can set password information as follows.
Old Method with RC4
New Method with AES
SamrSetInformationUser2 (Opnum 58) together with UserInternal4InformationNew which holds an encrypted user password with RC4.
SamrSetInformationUser2 (Opnum 58) together with UserInternal8Information which holds an encrypted user password with AES.
SamrSetInformationUser2 (Opnum 58) together with UserInternal5InformationNew which holds an encrypted user password with RC4 and all other user attributes.
SamrSetInformationUser2 (Opnum 58) together with UserInternal7Information which holds an encrypted password with AES and all other user attributes.
The existing SamrConnect5 method is typically used to establish a connection between the SAM client and server.
An updated server will now return a new bit in the SamrConnect5() response as defined in SAMPR_REVISION_INFO_V1.
|
Value |
Meaning |
|
0x00000010 |
On receipt by the client, this value, when set, indicates that the client should use AES Encryption with the SAMPR_ENCRYPTED_PASSWORD_AES structure to encrypt password buffers when sent over the wire. See AES Cipher Usage (section 3.2.2.4) and SAMPR_ENCRYPTED_PASSWORD_AES (section 2.2.6.32). |
If the updated server supports AES, the client will use new methods and new information classes for password operations. If the server does not return this flag or if the client is not updated, the client will fall back to using previous methods with RC4 encryption.
Password Set operations require a writeable domain controller (RWDC). Password changes are forwarded by the Read Only Domain Controller (RODC) to a RWDC. All devices must be updated for AES to be used. For example:
-
If the client, RODC or RWDC is not updated, RC4 encryption will be used.
-
If the client, RODC and RWDC are updated, AES encryption will be used.
The July 13, 2021 updates add four new events to the system log to help identify devices that are not updated and helps improve security.
-
Configuration state Event ID 16982 or 16983 is logged on startup or upon a registry configuration change.
Event ID 16982Event log
System
Event source
Directory-Services-SAM
Event ID
16982
Level
Information
Event message text
The security account manager is now logging verbose events for remote clients that call legacy password change or set RPC methods. This setting may cause a large number of messages and should only be used for a short period time to diagnose problems.
Event ID 16983Event log
System
Event source
Directory-Services-SAM
Event ID
16983
Level
Information
Event message text
The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.
-
After applying the July 13, 2021 update, a Summary Event 16984 is logged to the System event log every 60 minutes.
Event ID 16984Event log
System
Event source
Directory-Services-SAM
Event ID
16984
Level
Information
Event message text
The security account manager detected %x legacy password change or set RPC method calls in the past 60 minutes.
-
After configuring verbose event logging, Event ID 16985 is logged to the System event log every time a legacy RPC method is used to change or set an account password.
Event ID 16985Event log
System
Event source
Directory-Services-SAM
Event ID
16985
Level
Information
Event message text
The security account manager detected the use of a legacy change or set RPC method from a network client. Consider upgrading the client operating system or application to use the latest and more secure version of this method.
Details:
RPC Method: %1
Client Network Address: %2
Client SID: %3
Username: %4
To log verbose Event ID 16985, toggle the following registry value on the server or domain controller.
Path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM
Type
REG_DWORD
Value name
AuditLegacyPasswordRpcMethods
Value data
1 = verbose logging is enabled
0 or not present = verbose logging is disabled. Summary events only. (Default)
As described in SamrUnicodeChangePasswordUser4 (Opnum 73), when you use the new SamrUnicodeChangePasswordUser4 method, the client and server will use the PBKDF2 Algorithm to derive an encryption and decryption key from the plaintext old password. This is because the old password is the only common secret that is known to both the server and the client.
For more information about PBKDF2, see BCryptDeriveKeyPBKDF2 function (bcrypt.h).
If you must make a change for performance and security reasons, you can adjust the number of PBKDF2 iterations used by the client for password change by setting the following registry value on the client.
Note: Decreasing the number of PBKDF2 iterations will decrease security. We do not recommend that the number is decreased from the default. However, we do recommend that you use the highest possible number of PBKDF2 iterations.
|
Path |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM |
|
Type |
REG_DWORD |
|
Value name |
PBKDF2Iterations |
|
Value data |
Minimum of 5,000 to a maximum of 1,000,000 |
|
Value default |
10,000 |
Note: PBKDF2 is not used for password set operations. For password set operations the SMB session key is the shared secret between client and server and used as the basis for deriving encryption keys.
For more information, see Acquiring an SMB Session Key.
Frequently Asked Questions (FAQ)
Downgrade happens when the server or the client does not support AES.
Updated servers will log events when legacy methods with RC4 are used.
There is currently no enforcement mode available but there may be in the future. We do not have a date.
If a third-party device is not using the SAMR protocol, then this is not important. Third-party vendors who implement the MS-SAMR protocol may choose to implement this. Contact the third-party vendor for any questions.
No additional changes are required.
This protocol is legacy, and we anticipate its use is very low. Legacy applications may use these APIs. Also, some Active Directory tools such as AD Users and Computers MMC uses SAMR.
No. Only password changes that use these specific SAMR APIs are affected.
Yes. PBKDF2 is more expensive than RC4. If there are many password changes occurring at the same time on the domain controller calling the SamrUnicodeChangePasswordUser4 API, the CPU load of LSASS might be affected. You can tune the PBKDF2 iterations on clients if it is necessary, however we do not recommend decreasing from the default as this would lower security.
References
Authenticated Encryption with AES-CBC and HMAC-SHA
Third-party information disclaimer
We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.
