CVE-2017-8563 Ldap Enforce Channel Binding

mbamagh

Hello team,

Hope all of you are doing well!

I had a DC server running Microsoft windows server 2008 R2 x64. After a vulnerability scan launched on this server using Nexpose, the CVE-2017-8563 was reported by the vulnerability scanner with the message " Vulnerable software installed: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters LdapEnforceChannelBinding - contains unexpected value 0".
As I understand from the CVE report, I have to :

1. Install the KB4025337
2. Create the registry key LdapEnforceChannelBinding" and set it to 1 to enable the KB to fix the CVE reported.

I checked from the server-side, the kb KB4025337 required is already applied after running the "Get-HotFix -Id KB4025337"(but installed on 08/20/2017), so the missed action was to create and set a registry key value "LdapEnforceChannelBinding" to enable the KB to fix the CVE reported.

I relaunch the Nexpose scan I get the same vulnerability reported with the message " Vulnerable software installed: non-vulnerable test results suppressed for readability.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters LdapEnforceChannelBinding - contains unexpected value 1 "

I checked also the Local Group Policy, I can see that :
DC: LDAP server channel Binding token requirement is set to: When supported
DC: LDAP server signing requirement is set to: None

Could someone please help in resolving this issue as it's an emergency for me?
should I remove the KB and install it again, could this fix the vulnerability reported?