cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Workaround for KB5004442/CVE-2021-26414

AndrewPMI
Engaged Sweeper
Microsoft has some upcoming changes to enforce RPC authentication and signing. This can be enabled right now with RequireIntegrityActivationAuthenticationLevel=1, and this is currently expected to become the default setting within the next couple of patch cycles. Currently, this breaks Lansweeper's agentless scanning when enabled, and Lansweeper's guidance is to set it to 0 - a solution that decreases security and won't be an option past early 2022.

I've found another workaround by setting HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel=6. This takes effect immediately, and changes outbound RPC to attempt connection with packet privacy unless the calling application explicitly requests a different authentication level. With this set, Lansweeper can scan systems with RequireIntegrityActivationAuthenticationLevel=1 successfully. This may also solve issues with other RPC-driven applications that could break with Microsoft's upcoming change; apps which aren't as well maintained as Lansweeper.

I am still reviewing the impact of DefaultAuthLevel=6 in a lab environment for other potential issues, but thus far it appears to be OK in a simple single-domain environment. I would expect both DefaultAuthLevel=6 and RequireIntegrityActivationAuthenticationLevel=1 to have a higher probability of causing misbehaviours in more complex, multi-domain environments with apps that plumb deeply into domain authentication (ie: on-premises SharePoint). On a server dedicated to Lansweeper alone, DefaultAuthLevel=6 appears quite safe to set. Given that DefaultAuthLevel doesn't require a reboot to take effect (whereas RequireIntegrityActivationAuthenticationLevel does), reverting it is also simple.

One mild challenge is that HKLM\SOFTWARE\Microsoft\Rpc\SecurityService is write-locked to TrustedInstaller, so a permissions change is required to modify the registry. PowerShell can do this, but it does require a fairly lengthy script. For brevity, this is the classic cmd/batch syntax to go with Helge Klein's SetACL utility:
SetACL64 -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService" -ot reg -actn setowner -ownr "n:Administrators" -silent -ignoreerr

SetACL64 -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService" -ot reg -actn ace -ace "n:Administrators;p:Full;m:Grant" -silent -ignoreerr

reg add "HKLM\SOFTWARE\Microsoft\Rpc\SecurityService" /v DefaultAuthLevel /t REG_DWORD /d 6 /f

** Replace Administrators with SYSTEM or another appropriate identity for the context your script is running in.

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

https://www.lansweeper.com/knowledgebase/the-rpc-server-is-unavailable/

https://helgeklein.com/setacl/
0 REPLIES 0