What code changes must be made to handle DCOM hardening? (CVE-2021-26414) (KB5004442)

Question

What code changes must be made to handle DCOM hardening? (CVE-2021-26414) (KB5004442)

Darren Morby 1

Our clients are having issues with DCOM errors and the issues appear related to the so-called "DCOM hardening" (CVE-2021-26414) (KB5004442).

I think that the server needs this call to CoInitializeSecurity:

   CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED);  
     
   CoInitializeSecurity(nullptr, -1, nullptr, nullptr,  
   RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,  
   RPC_C_IMP_LEVEL_IMPERSONATE,  
   nullptr, EOAC_NONE, nullptr);

and the client also needs the same call to CoInitializeSecurity:

   CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED);  
     
   CoInitializeSecurity(nullptr, -1, nullptr, nullptr,  
   RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,  
   RPC_C_IMP_LEVEL_IMPERSONATE,  
   nullptr, EOAC_NONE, nullptr);

Could someone confirm this, please? Thanks.

[I originally posted this question to https://stackoverflow.com : https://stackoverflow.com/questions/73082676]

Kushagra Bhardwaj 0 Reputation points

2023-03-14T14:59:23.48+00:00

We have client running on one machine and server on another.
We have also added the above code and currently not facing the error caused by microsoft dcom patch. But currently it is giving below mentioned errror. can you please help to resolve this.
Xiaopo Yang - MSFT 12,726 Reputation points Microsoft External Staff

2023-03-15T02:27:52.3133333+00:00

Which function raises the error? Could you please show a minimal, reproducible sample without private information? Can you reproduce it locally?

You may need to check the caller security information.

1 answer

Your answer

Kushagra Bhardwaj 0 Reputation points

2023-03-14T14:59:23.48+00:00

We have client running on one machine and server on another.
We have also added the above code and currently not facing the error caused by microsoft dcom patch. But currently it is giving below mentioned errror. can you please help to resolve this.
Xiaopo Yang - MSFT 12,726 Reputation points Microsoft External Staff

2023-03-15T02:27:52.3133333+00:00

Which function raises the error? Could you please show a minimal, reproducible sample without private information? Can you reproduce it locally?

You may need to check the caller security information.

Answer 1

Xiaopo Yang - MSFT 12,726 Microsoft External Staff

Hello,

Welcome to Microsoft Q&A!

According to KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414), The Client Application is at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY Authentication-Level with enabling the hardening changes for CVE-2021-26414 And the hardening changes for CVE-2021-26414 make DCOM servers in Windows System enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.
So, the code is OK. Also, You can check DCOM error events in the System log to verify.

Thank you.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Darren Morby 6 Reputation points

2022-07-27T20:11:28.257+00:00

Thank you.

I am assuming that the issue was that for our client machines, RequireIntegrityActivationAuthenticationLevel was 0, and for some of our server machines, RequireIntegrityActivationAuthenticationLevel was explicitly 0. But one of our servers did not have RequireIntegrityActivationAuthenticationLevel set, so the default was 0 until a Windows Update and now the default is 1.

I am also assuming that if both client and server have RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in their SetSecurity, then it is used even if RequireIntegrityActivationAuthenticationLevel is set to 0.

Again, thanks.

Share via

What code changes must be made to handle DCOM hardening? (CVE-2021-26414) (KB5004442)

1 answer

Your answer