Sicherheitsanfälligkeit im Windows DCOM-Server durch Umgehung von Sicherheitsfunktionen

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.

Do I need to take further steps to be protected from this vulnerability?

Yes. The security updates released on June 8, 2021 enable RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM clients by default and provide full protection after manually setting RequireIntegrityActivationAuthenticationLevel = 1 on DCOM servers using the steps in Managing changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). Note that a reboot is required after making any changes to the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft recommends enabling full protection as soon as possible to identify any OS and application intermobility issues between Windows and non-Windows operating systems and applications.

With the June 14, 2022 security updates, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers is now enabled by default. Customer who need to do so can still disable it by using the RequireIntegrityActivationAuthenticationLevel registry key.

If I install the updates and take no further action, what will be the impact?

Installing the security updates released on June 8, 2021 enables client side protections in a pure Windows environment but does not provide any protection in environments with non-Windows DCOM client. Organizations will need to identify and mitigate any interop issues between Windows and non-Windows operating systems and applications before the third phase, when the hardening on DCOM servers is enabled by default and will no longer have the ability to be disabled.

Installing the security updates released on June 14, 2022 enables the registry key by default so that DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

How does Microsoft plan to address this vulnerability?

Microsoft is addressing this vulnerability in a phased rollout. The initial deployment phase starts with the Windows updates released on June 8, 2021. The updates will enable customers to verify that any client/server applications in their environment work as expected with the hardening changes enabled.

The second phase, planned for an June 14, 2022, programmatically enables the hardening on DCOM servers by default that can be disabled via the RequireIntegrityActivationAuthenticationLevel registry key if necessary.

The third phase, planned for March 14, 2023, enables the hardening on DCOM servers by default and will no longer have the ability to be disabled. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Are there system events available that will help me identify the client devices that will be impacted by the change?

Yes. See the New DCOM error events section of Managing changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). While the first security updates to address this vulnerability were released on June 2021, we recommend that you install the updates released on September 2021 to enable DCOM event logs that were added with those updates.