Windows DCOM Server Security Feature Bypass - CVE-2021-26414

Philip Scutt · ‎04-10-2022

Our Microsoft team have informed me about some changes Microsoft are making off the back of CVE-2021-26414:

In 2021 and exploit was discovered and tracked under CVE-2021-26414. This was a vulnerability in the DCOM Remote Protocol. Microsoft released a patch in Sept 2021 and introduced a change that will security harden the protocol over time. They recommended that we verify if client or server applications that use DCOM or RPC work as expected with the hardening changes enabled. Timescales are:
June 2021: The changes were made but NOT turned on by default; You can turn them on for testing with a registry key.
June 2022: The changes will be made by default, with the ability to turn them OFF with a registry key.
March 2023: The changes will be made by default, the ability to turn them OFF will be removed.

I'm trying to see if this is going to impact our MID Discovery, as there is a suggestion by our team it could. I've not found anything in support or community associated with the CVE - anyone any ideas?

johnfw2 · ‎07-05-2022

Thanks for the info Philip.
We also have a case open with much the same story - "we tested it and there was no problem" and then "We are discussing this internally with our development to address further steps and WMI discovery roadmap. "

Reading between the lines of the TSE updates, I'm expecting that snow will drop WMI and push us down the WinRM and PowerShell Remoting path, rather than provide a compliant wmi client.

So far all I have are "workarounds" which involve either disabling the nice MS security update, or stop using WMI and switch to WinRM.

The latter may be a solution, but it isn't exactly quick to implement in an organization of this size and complexity. I also have a suspicion that WinRM is only used for Classification and that Exploration and even Identification would still rely on WMI calls. Anyone know ?

I'll keep this thread updated with any progress.

John

Aleksandar Miro · ‎07-12-2022

Hi @John Williams,

Can you confirm that after you updated MID server Windows host with the latest Windows patch WMI queries started working again without issues?
Thank you!

Priya143 · ‎08-15-2022

Thanks for the info John. We are facing issues in windows discovery after the June 2022 patch and Microsoft suggested us to use workaround for now. But not sure what we could do after March 23. Appreciate if you find any alternative to make this work after March 23.

James Nguyen · ‎08-23-2022

Hey there, I am searching for the information online on Windows DCOM Server Security Feature Bypass - CVE-2021-26414 and I am glad I found your post where I found my answer. Thanks for sharing this information in brief. It cleared all my thoughts. I also found https://www.topessaywriting.org/samples/military website on google search and I took interest in that website because I got an essay assignment from my mentor on military topic.