DCOM hardening (CVE-2021-26414) on March 14, 2023 patchday for Windows 10/11 and Server

Windows[German]Just a reminder for administrators of Windows in enterprise environments. There is a vulnerability in Microsoft's Windows DCOM implementation (Windows DCOM Server Security Feature Bypass, CVE-2021-26414) that allowed security features to be bypassed. Microsoft documented this in 2021, and patched it then, closing this vulnerability in stages. Recently, I was reminded that Microsoft will release a final patch on March 14, 2023 that will remove the ability to disable this DCOM hardening.


Advertising

DCOM vulnerability CVE-2021-26414

The OPC Data Access (OPC DA) protocol was introduced in 1995 to enable the communication of real-time data between the programmable logic controller (PLC/PLC) and the software in OT networks. However, OPC DA is based on DCOM technology, which has security vulnerabilities. In 2008, Microsoft introduced the non-DCOM OPC Unified Architecture (OPC UA) protocol, but many industrial companies still use OPC DA.

Patching the vulnerability in stages

In 2021, Microsoft acknowledged a critical vulnerability in its DCOM protocol and announced a hardening patch to strengthen authentication between DCOM clients and servers. To minimize operational disruptions, the patch was released in phases.

  • The first patch, dated June 8, 2021, performed hardening of the weak authentication layers in DCOM, but the option was still disabled. Windows, however, provided the option to enable this hardening via registration.
  • The second patch, dated June 14, 2022, enforced hardening by default with the option to disable this again via registry intervention.
  • The November 8, 2022 rollout of the third DCOM hardening patch provided the option to set RaiseActivationAuthenticationLevel =2. This automatically raised all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
  • On March 14, 2023, Microsoft will issue a new patch that removes the option to enable unsecured DCOM via registry entry.

Microsoft has published support post KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) with further explanation and states that the following Windows versions are affected:

  • Windows 11  21H2 – 22H2
  • Windows Server 2022
  • Windows 10, version 2004 – 21H1, Windows Server, version 20H2
  • Windows 10 Enterprise, version 1909
  • Windows 10 IoT Enterprise, version 1909
  • Win 10 Enterprise LTSC version 2019
  • Windows 10 IoT Enterprise LTSC version 2019
  • Windows Server 2019
  • Windows 10, version 1607, Windows Server 2016
  • Windows 8. 1, Windows Server 2012 R2
  • Windows Embedded 8.1 Industry Enterprise
  • Windows Server 2012
  • Windows Embedded 8 Standard
  • Windows 7, Windows Server 2008 R2
  • Windows Embedded Standard 7 ESU
  • Windows Embedded POSReady 7 ESU
  • Windows Thin PC Windows Server 2008

Microsoft recommends administrators install this hardening patch. However, Windows 7 SP1 and Windows 8.1 are out of support and will probably not get security updates in March 2023. The same is probably true for Windows 10 version 2004.


Cookies helps to fund this blog: Cookie settings
Advertising


Leave a Reply

Your email address will not be published. Required fields are marked *