Not found security hardening registry for DCOM after apply June 2021 patch

Question

Not found security hardening registry for DCOM after apply June 2021 patch

Ka^peng 21

KB5004442 - Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

From above KB, I have the impression that I will be able to see the registry "RequireIntegrityActivationAuthenticationLevel" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat after I apply the June 2021 patch. This seems not the case. I cannot see this registry even after I have applied the June 2021 patch. In this case, is that mean I actually need to manually create this registry & enable/disable it to test on the application functionality?

Gary Pietila 6 Reputation points

2022-07-05T21:47:19.327+00:00

My org is seeing that on some servers the "RequireIntegrityActivationAuthenticationLevel" is pre-existing & set to hex 0 prior to applying the June 2022 patches & after applying it is still set to hex 0. On other servers the "RequireIntegrityActivationAuthenticationLevel" does not exist at all pre June 2022 patching & post patching it still does not exist....

As I read the MS announcement the June Patches should flip it to hex 1 but that is clearly not the case.

I
Gary Pietila 6 Reputation points

2022-07-05T21:47:41.207+00:00
opened a support case w/ MS & got this response:

SR#:   2206230060001452
 
Issue: June patches not enforcing DCOM hardening
 
Resolution:  KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) (microsoft.com)

How can we tell that “Hardening changes enabled by default” has been made?

If server has June’s patching level then hardening will be set by default (with or without the key present). But with the ability to disable hardening by simply creating the key and setting it a value of 0.

Will Microsoft updates create this key to have this enabled by default and have values of 0x00000001?

No, updates won’t include registry key as patches include an update on Windows Core code. This means that the code function is there to query the key, so it would be something like this (with June’s patch installed):

• Function to find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
• Do we have RequireIntegrityActivationAuthenticationLevel key >> yes or no?
• No key > default behavior = Hardening Enabled
• Key present > check value > if 1 = Hardening Enabled, else 0 = Hardening Disabled

So, as a conclusion, the key has to be manually created.
Therefore, after March 2023, hardening will be set by default without the ability of disabling it.

Accepted answer

0 additional answers

Your answer

Gary Pietila 6 Reputation points

2022-07-05T21:47:19.327+00:00

My org is seeing that on some servers the "RequireIntegrityActivationAuthenticationLevel" is pre-existing & set to hex 0 prior to applying the June 2022 patches & after applying it is still set to hex 0. On other servers the "RequireIntegrityActivationAuthenticationLevel" does not exist at all pre June 2022 patching & post patching it still does not exist....

As I read the MS announcement the June Patches should flip it to hex 1 but that is clearly not the case.

I
Gary Pietila 6 Reputation points

2022-07-05T21:47:41.207+00:00

opened a support case w/ MS & got this response:

SR#:   2206230060001452
 
Issue: June patches not enforcing DCOM hardening
 
Resolution:  KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) (microsoft.com)

How can we tell that “Hardening changes enabled by default” has been made?

If server has June’s patching level then hardening will be set by default (with or without the key present). But with the ability to disable hardening by simply creating the key and setting it a value of 0.

Will Microsoft updates create this key to have this enabled by default and have values of 0x00000001?

No, updates won’t include registry key as patches include an update on Windows Core code. This means that the code function is there to query the key, so it would be something like this (with June’s patch installed):

• Function to find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
• Do we have RequireIntegrityActivationAuthenticationLevel key >> yes or no?
• No key > default behavior = Hardening Enabled
• Key present > check value > if 1 = Hardening Enabled, else 0 = Hardening Disabled

So, as a conclusion, the key has to be manually created.
Therefore, after March 2023, hardening will be set by default without the ability of disabling it.

Answer 1

Anonymous

Hi,

Thank you for posting your question to Q&A forum.

Yes, your understanding is correct. You will need to manually set the registry.

With the security update released on June 8, 2021 installed, hardening changes were disabled by default but with the ability to enable them using a registry key. That means you can manually create and set the registry "RequireIntegrityActivationAuthenticationLevel" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat.

Also, you could find the article Windows DCOM Server Security Feature Bypass CVE-2021-26414 mentioned this.

Hope the information could help you.

Thanks,

----------

If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

Ka^peng 21 Reputation points

2021-07-26T08:17:28.81+00:00

Thanks for the information, appreciate that.
Josh Stewart 21 Reputation points

2022-05-30T17:51:52.337+00:00

Does this mean you can disable the impact of the change in the June 2022 patch in advance by manually creating the registry key and setting it to 0? Or will the registry value be changed on June 14th, 2022 if the update/patch is installed?

Share via

Not found security hardening registry for DCOM after apply June 2021 patch

0 additional answers

Your answer