[German]Microsoft has published a revision to the security advisory for Windows vulnerability CVE-2021-26414 as of February 24, 2022. The notification is informal only. CVE-2021-26414 is the Windows DCOM Server Security Feature Bypass vulnerability that was addressed via security update as of June 8, 2021. The update enabled RPC_C_AUTHN_LEVEL_PKT_INTEGRITY by default on DCOM clients. However, Microsoft is addressing the vulnerability in a staged process with three phases. Now Microsoft has revised the FAQ with the planned dates for phases 2 and 3.
Advertising
Here is the notification Microsoft sent regarding the revision of the security update: :
*********************************************************
Title: Microsoft Security Update Revisions
Issued: February 24, 2022
*********************************************************
Summary
=======
The following CVE has undergone a revision increment.
=========================================================
– CVE-2021-26414 | Windows DCOM Server Security Feature Bypass
– Version: 1.3
– Reason for Revision: Updated FAQs with revised planned dates for phases two
and three. This is an informational change only.
– Originally posted: June 8, 2021
– Updated: February 24, 2022
– Aggregate CVE Severity Rating: Important
Advertising
The vulnerability goes by the name Petitpotam and allows domain hijacking by an attacker. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would need to host a specially crafted server share or website. Then, the attacker would have to trick the user into visiting that specially crafted server share or website via email or chat message.
I had written something about the vulnerability CVE-2021-26414 in September 2021 in the German blog post Windows-Schwachstelle CVE-2021-36942 (Petitpotam) und DCOM-Härtung. The security updates released on June 8, 2021, enable RPC_C_AUTHN_LEVEL_PKT_INTEGRITY by default on DCOM clients and provide full protection after
RequireIntegrityActivationAuthenticationLevel = 1
has been manually set. Installing the security updates released on June 8, 2021, provides client-side protection in a Windows-only environment, but does not provide protection in environments with non-Windows DCOM clients. Microsoft plans to address this vulnerability in phases.
- June 8, 2021: The initial rollout phase began with the deployment of Windows updates. The updates allow customers to verify that all client/server applications in their environment are working as expected when the hardening changes are enabled.
- June 14, 2022: The second phase is scheduled for this date. This is when hardening will be enabled programmatically by default on DCOM servers. This can be disabled if needed via the RequireIntegrityActivationAuthenticationLevel registry key.
- March 14, 2023: In the third phase, hardening is enabled by default on DCOM servers and cannot be disabled. At that time, you must resolve any compatibility issues with the hardening changes and applications in your environment.
Microsoft states that organizations must identify and mitigate any interoperability issues between Windows and non-Windows operating systems and applications before the third phase. That's because if hardening is enabled by default on DCOM servers starting March 14, 2023, it can no longer be disabled. More details can be found in CVE-2021-26414.
Similar articles:
PetitPotam attack allows Windows domain takeover
Microsoft's mitigations of Windows PetitPotam NTLM relay attacks
Microsoft Security Update Revisions (July 29, 2021)
PetitPotam attacks on Windows blocked by RPC filters
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
