Windows DCOM Server Security Feature Bypass - CVE-2021-26414
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-10-2022 10:04 AM
Our Microsoft team have informed me about some changes Microsoft are making off the back of CVE-2021-26414:
In 2021 and exploit was discovered and tracked under CVE-2021-26414. This was a vulnerability in the DCOM Remote Protocol. Microsoft released a patch in Sept 2021 and introduced a change that will security harden the protocol over time. They recommended that we verify if client or server applications that use DCOM or RPC work as expected with the hardening changes enabled. Timescales are:
June 2021: The changes were made but NOT turned on by default; You can turn them on for testing with a registry key.
June 2022: The changes will be made by default, with the ability to turn them OFF with a registry key.
March 2023: The changes will be made by default, the ability to turn them OFF will be removed.
I'm trying to see if this is going to impact our MID Discovery, as there is a suggestion by our team it could. I've not found anything in support or community associated with the CVE - anyone any ideas?
- Labels:
-
MID Server
-
Multiple Versions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-04-2022 02:20 AM
Did you find anything on this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2022 08:16 AM
Yes, we raised a support ticket with ServiceNow and they said they hadn't seen any impact of this in their development instances.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2022 05:52 AM
Hi Philip,
We have started seeing issues with discovery since the July 14 update, with errors like this:
The server-side authentication level policy does not allow the user *********** from address ************ to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
Adding the key RequireIntegrityActivationAuthenticationLevel with value 0x00000000 on the target (discovered) server does work, but obviously it needs to be fixed at the MID application level.
I will open a case with support. Did you ever get more information from them about this ?
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-28-2022 02:37 PM
Hi John,
No, the only response we had from them was that they'd tested it in their labs and hadn't seen any impact - response below. Our case reference was CS5977806 if you want to reference it.
Issue:
Will Implementing Microsoft Windows patch CVE-2021-26414/ 'Windows DCOM Server Security Feature Bypass' have any impact on ServiceNow Discovery.
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
Solution Proposed:
Investigation Summary:
1) Searched Knowledge Base and Recent Case Study
-- 1 Result from December for the same question/concern.
-- Resolution - TSE Tested this in a lab environment and found no issue in regards to Discovery failing.
2) Given the lack of Cases found and this not coming up in common issues that we see daily this most likely has no impact on ServiceNow Discovery as was tested by one of our Support Engineers.
