The Context
To address a vulnerability (CVE-2021-26414), Microsoft is aiming for the third phase of their DCOM hardening patches to be released on March 14, 2023, following the prior patches released in 2021 and earlier in 2022. DCOM is a key component in many different software packages, so the hardening patch is considered to be critical to the industry. However, patches of this nature are also known to have serious negative impacts on some software. The rollout for the 3 releases consists of three milestones:
- June 8, 2021 – Patch disabled by default but can be enabled manually.
- June 14, 2022 – Patch enabled by default but can be disabled manually.
- March 14, 2023 – Patch enabled without the option to disable it.
As of today, many software packages still cannot function properly after applying the new Microsoft patch. Among those, Rockwell Automation stands prominently in the spotlight due to its huge installation base. Despite great efforts from software companies to overcome the issues that the patch brings to software packages, the timetable as it stands remains a matter of great concern. Even though the grace period is ending soon, the industry does not seem to have a robust solution to the negative effects of the hardening patch yet.
Instead of relying solely on software providers to deliver an ultimate solution within the limited schedule, companies are also looking for alternative approaches to mitigate the potential impacts to business operations. In the OT space, system availability is always of utmost concern. Therefore, cybersecurity managers should have a contingency plan that enables businesses to have both system availability and reinforced security.
Introduction
Distributed Component Object Model (DCOM) is usually used for communication between software components of networked devices. This protocol also includes OPC-DA servers and clients for controlling, securing, and authenticating data transactions (for example, connections to Windows applications). However, it needs to be more secure to meet modern cybersecurity requirements. Microsoft publicly disclosed a medium severity vulnerability identified as the CVE-2021-26414 in Microsoft Windows operating systems on June 8, 2021. The vulnerability, also called Windows DCOM Server Security Feature Bypass, was revealed to be a common attack vector for hackers.
Fortunately, Microsoft has released security patches for these vulnerabilities in the Windows operating system and a blueprint for this security update. However, Microsoft’s hardening patch will significantly change the functionality of some operating systems, affecting the regular operation of existing OT solutions. For example, many OT solution vendors announced that security updates will affect systems or solutions that use OPC-DA and Windows APIs to pass data, obtain data, or communicate with control systems such as PLC programming software [1] [2] [3]. Therefore, activation of Microsoft patches must be delayed until all OT solution vendors can release their own patches for their components and confirm that the activation of the Microsoft patches will not affect the operation of said components.
TXOne Networks is aware of this vulnerability and knows how it would affect our customers’ environments if Microsoft’s patches were used. We will continuously monitor security advisories issued by vendors and provide enterprises with short- and long-term recommended practices to mitigate vulnerabilities while ensuring operational continuity.
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
In 2021, Microsoft discovered the Windows DCOM Server Security Feature Bypass Vulnerability for CVE-2021-26414, which can be used to bypass authentication. According to Microsoft’s vulnerability assessment, the vulnerability only partially affects integrity. Although modifying some system files or information is possible, the attacker either has no control over what can be modified or has a limited scope of influence. Microsoft believes this vulnerability has no impact on the confidentiality and availability of the system [4]. In terms of exploit, the vulnerability requires users of the affected version of Windows to access a malicious server for the exploit to be successful; this entails that the attacker must have a specially crafted shared server or website ready. Additionally, the attacker cannot force the user to access said specially crafted server share or website [5]. Instead, asset owners must be lured to visit a malicious server or website via spear phishing or similar tactics. Microsoft evaluated the exploitability of this vulnerability as Medium (CVSS Score 4.3), and the vulnerability has been patched with their current Windows Update.
Table 1. Number of Affected Versions by Windows Product
Vendor | Product | Vulnerable Versions |
Microsoft | Windows 10 | 20 |
Microsoft | Windows 7 | 2 |
Microsoft | Windows 8.1 | 1 |
Microsoft | Windows Rt 8.1 | 1 |
Microsoft | Windows Server | 2 |
Microsoft | Windows Server 2008 | 5 |
Microsoft | Windows Server 2012 | 2 |
Microsoft | Windows Server 2016 | 1 |
Microsoft | Windows Server 2019 | 1 |
Microsoft | Windows Server 2022 | 1 |
Source: cvedetails.com
The Impact of Microsoft DCOM Hardening Patch
On June 8, 2021, Microsoft released a security update that improves the hardening of the DCOM protocol, as some applications require code changes to comply with the new security level. Thus, Microsoft addressed the vulnerability with several stages. The initial stage had the hardening changes disabled as a default, thereby allowing the asset owner to use the registry key to enable the feature only when needed. However, the subsequent June 14, 2022 security update flipped this around and had hardening changes enabled by default, with the asset owner needing to use the registry key to disable them. By March 14, 2023, Microsoft expects to have directly increased the level of authentication for all endpoints with no ability to disable them. The detailed Microsoft DCOM hardening security patch’s estimated schedule is as follows [6]:
Table 2. Microsoft DCOM Hardening Patch Timeline
Update Release | Behavior Change |
June 8, 2021 | Hardening changes disabled by default but with the ability to enable them using a registry key. |
June 14, 2022 | Hardening changes enabled by default but with the ability to disable them using a registry key. |
November 8, 2022 | This update will automatically raise the requisite authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY if it is below Packet Integrity. With this change, most Windows DCOM client applications will automatically work with DCOM hardening changes on the server side without any modification to the DCOM client applications. |
March 14, 2023 | Hardening changes enabled by default with no ability to disable them. By this point, you will need to have resolved any compatibility issues with the hardening changes and applications in your environment. |
Source: Microsoft
As previously mentioned, deploying Microsoft cumulative updates, the final of which will be released on March 14, 2023, will disable DCOM for many existing factory-used products and prevent a significant amount of software from functioning correctly. Not only are Windows systems affected, but also the following products [7]:
- Products using specific version of the Windows and Windows Server based operating system will be affected.
- Products using the OPC-DA standard will be affected.
- Applications that communicate using the Window DCOM API will be affected.
What the Impact Looks Like
In the June 2022 KB5004442 update, the DCOM security hardening configuration is enabled by default. This may render some features unusable, which would result in these possible ramifications [8]:
- The endpoint configuration manager console cannot access the SMS provider remotely under any user account. However, with the same credentials, the local connection to the SMS provider is successful.
- When a configuration manager administrator connects remotely to a client computer, the remote connection fails under any user account, but the local connection succeeds.
- The content cannot be distributed to remote distribution points.
To help companies identify applications in OT environments with compatibility issues, Microsoft has added a new DCOM error event to the system’s log (see table below). These events are logged if the system detects that a DCOM client application is attempting to activate a DCOM server with an authentication level lower than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This allows the asset owner to establish a trace to the client device from the server-side event log and use client-side event logs to find the application [9].
Table 3. Detection Alarm of DCOM Error Events
Event Type | Event ID | Message |
Server events | 10036 | “The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.” Note: %1 – Domain, %2 – username, %3 – User SID, %4 – Client IP Address |
Client events | 10037 | “Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.” |
10038 | “Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.” Note: %1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level |
Source: Microsoft
Recommended Security Measures to Continue System Operations
To patch any asset in an operational environment, asset owners must balance security and compatibility issues. They must consider, for example, “Is the patched asset compatible with the network and other assets?”. On the other hand, administrators must concern themselves with the question, “When is the best time for this update to happen so as not to disrupt the operation?” before discussing and reaching a consensus with other stakeholders to ensure the continuity of the production process, and preserve high system availability.
TXOne Networks recommends upgrading assets to the final patch provided by the original equipment manufacturer (OEM). However, if final patches are unavailable in the short term, Stellar endpoint protection solutions are recommended in the meantime to balance security and compatibility concerns. Our Stellar endpoint protection solution can be used as an alternative to help asset owners buy more time until their assets are upgraded to the final patch provided by the OEM. Meanwhile, Stellar also provides monitoring features and the blocking of potentially malicious behavior, such as script execution and malware execution. Give asset owners more time to upgrade without disrupting production systems while protecting systems. Stellar:
- Provides unpatched assets against zero-day malware attacks:
In a typical OT environment, asset owners should not rashly enable Windows patches if the device vendor does not provide a validated patch. They run the risk of disruption due to functional failure if they enable the security patches right away. At this point, some asset owners have resorted to a temporary security workaround by postponing the deployment of Windows patches on affected systems that are not exposed to the external network until the device vendor releases the final patch. Asset owners may choose to disable the Microsoft DCOM Hardening patch using the temporary workaround described by Microsoft in MS KB5004442. However, there is still a risk of zero-day attacks while asset owners wait for the OEM’s final solution (a patch validated by the OEM). TXOne’s Stellar endpoint solution uses a system lockout feature to block Windows updates that do not match any allowable criteria defined in the asset owner-defined rules table. Although it disables the Microsoft DCOM Hardening patch, it also provides malware protection for DCOM by using endpoint monitoring and blocking features, such as blocking script execution and malware execution, to ensure system integrity without affecting the system’s regular operation.
- Allows asset owners more time for patch management:
Even if the asset owner gets the final patch validated by the OEM, since large-scale assets in the OT environment need to be upgraded first, this prevents some assets from being updated immediately with that security patch. Stellar can protect assets that still need patching from malware. It can monitor easily exploitable legitimate processes by learning and authorizing actions under permission control, which gives Stellar the ability to detect unusual activity. Additionally, zero-day attacks can be countered by limiting the execution of applications to those required for daily operations. At the end of the day, Stellar gives asset owners ample time to perform patch management without strict deadlines.
- Protects legacy systems from malware attacks:
In practice, some devices may not be able to address CVE-2021-26414 with Windows security patches. TXOne Networks has dedicated solutions for legacy ICS systems that protect devices from malware attacks without impacting device performance. Stellar does not require regular updates and it supports a wide age range of Windows operating systems that have passed the end-of-service date, allowing fixed-use machines with limited resources to be shielded against serving as an onramp to a threat actor.
Conclusion
Based on short-term and long-term security and availability considerations, TXOne Networks suggests using Stellar to monitor and block potential malicious behaviors such as script execution and malware execution. Stellar can monitor legitimate vulnerable processes by learning and authorizing operational behaviors at a minimum under the control of permissions, thus enabling Stellar to detect abnormal operational behavior. Additionally, Stellar is equipped with unique application trust lists and locking technology to ensure system integrity, including Operational Lock, USB Device Lock, Data Lock, and Configuration Lock. It can comprehensively protect endpoints that cannot execute Windows Patches in short term and legacy endpoints. Our Stellar endpoint protection solution can be used as an alternative to help asset owners buy more time until their assets are upgraded to the final patch provided by the OEM.
Reference
[1] Rockwell Automation “Product Notification 2022-01-001 – Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (CVE-2021-26414)”, Rockwell Automation, July 19, 2022.
[2] SIEMENS Product Support “Which Microsoft Updates have been tested for compatibility with SIMATIC PCS 7”, SIEMENS, July 19, 2022.
[3] PTC Support” Unable to establish OPC DA communication after installing Microsoft DCOM Hardening patches (CVE-2021-26414) with PTC Kepware Products”, PTC , June 07, 2022.
[4] Microsoft Security Response Center (MSRC), “Security Vulnerability CVE-2021-26414 Windows DCOM Server Security Feature Bypass”, Microsoft, June 28, 2022.
[5] Sjedište Rijeka, Ured Zagreb, “SECURITY ADVISORY CVE-2021-26414 Windows DCOM Server Security Feature Bypass”, Montelektro, June 28, 2022.
[6] Microsoft, “KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)”, Microsoft, June 24, 2022.
[7] Rockwell Automation, “Impact of Microsoft DCOM Hardening patch (CVE-2021-26414) on Rockwell Automation products”, Rockwell Automation, June 09, 2022.
[8] Microsoft, “Issues in Configuration Manager after installing June 2022 security updates for Windows “, Microsoft, June 24, 2022.
[9] Microsoft, “KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) UPDATED”, Microsoft, November 11, 2022.