Microsoft recently acknowledged a critical vulnerability in the WMI connection affecting the DCOM protocol, which allowed attackers to bypass DCOM server security, elevate their privileges, and gain unauthorized access into the systems. Microsoft released a series of security updates (KB5004442) over the last two years, popularly known as DCOM hardening, to overcome the issue, which impacted various third-party applications making use of the DCOM protocol, resulting in authentication and request failures.

This blog explains the vulnerability, discusses the measures taken by Microsoft to overcome the vulnerability, and looks at the impact of these measures on WMI-based applications like ManageEngine Applications Manager.

About the vulnerability

The Windows DCOM Server Security Feature Bypass (CVE-2021-26414) vulnerability allows attackers to elevate their privileges and gain unauthorized access to a system by exploiting the way WMI connections are made through DCOM protocol. The Distributed Component Object Model (DCOM) is a communication protocol used in Windows for communication between the software components of networked devices through remote procedure calls (RPCs), which enables software programs to communicate with other programs and components across a network. This vulnerability enables attackers to exploit the DCOM connection by impersonating a user and elevating their privileges, resulting in a compromised system security.

Windows DCOM hardening: Microsoft’s workaround to address the vulnerability

Microsoft took a phased approach to mitigate the vulnerability by releasing a series of security updates in three phases to prevent breakages in various WMI-based applications. Here is the list of security updates, known as DCOM hardening, that were released by Microsoft:

Update release

Behavior change

June 8, 2021

Hardening settings are disabled by default but with the option to enable them using a registry key.

June 14, 2022

Hardening settings are enabled by default but with the option to disable them using a registry key.

March 14, 2023

Hardening settings are made mandatory and will be enabled by default with no option to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Impact of DCOM hardening on Applications Manager

Many Windows-based applications rely on WMI connections to communicate with Windows systems. The applications that require these connections are typically built on top of the WMI infrastructure provided by Windows, meaning they can easily be affected by any sort of modifications performed in the underlying WMI infrastructure.

Now that the security updates from Microsoft have hardened the DCOM settings, these changes have an adverse impact on various WMI-based applications, including Applications Manager. Due to these changes, Applications Manager users have experienced authentication failures and request failures while monitoring WMI-based resources, resulting in data collection issues.

The Microsoft DCOM hardening patch

To resolve the impacts caused by Windows DCOM hardening, Microsoft released the Client-side request auto-elevation patch, which automates the process of elevating the authorization levels of client DCOM requests to the DCOM server. The patch ensures that the requests made to establish WMI connections are allowed only from applications that are explicitly authorized to perform such requests, preventing attackers from impersonating a user with elevated privileges through a WMI connection. The patch handles the authorization process automatically, without the need for WMI-based applications to modify their existing code in order to handle the impact.

Here is the list of security updates that were released subsequently as a part of the Windows DCOM hardening patch:

Update timeline

Behavior change

November 2022

This update automatically raised the activation authentication level to packet integrity. This change was disabled by default on Windows Server 2016 and Windows Server 2019.

December 2022

The November change was enabled by default for Windows Server 2016 and Windows Server 2019. This update also addressed an issue that affected anonymous activation on Windows Server 2016 and Windows Server 2019.

January 2023

This update addressed an issue that affected anonymous activation on platforms from Windows Server 2008 to Windows 10 (initial version released July 2015).

If you have installed the cumulative security updates as of January 2023 on your clients and servers, they will have the latest auto-elevate patch fully enabled.

How the patch helps Applications Manager

Now that the Microsoft DCOM hardening patch handles the authorization process automatically, WMI-based applications like Applications Manager now find it easier to overcome the impact caused by DCOM hardening and helps to reduce compatibility issues. When Applications Manager tries to connect to a remote Windows server, the Applications Manager-installed server acts as the DCOM Client whereas the remote server acts as the DCOM server. As a result, this allows Applications Manager to continue to function normally and ensures that WMI connections are made without the need for manual modifications.

Conclusion

The Windows DCOM hardening updates released by Microsoft created a significant impact on applications that used WMI connections to communicate with the Windows systems. The updates lead to authentication and request failures while monitoring WMI-based resources causing data collection issues in Applications Manager. However, the client-side request auto-elevation patch released by Microsoft serves as a savior by handling the authorization process automatically, allowing dependent applications to function normally.

We highly recommend Applications Manager users apply the patch into your Windows environments to ensure the security and integrity of your systems. Also, make sure to stay up-to-date with the DCOM hardening updates and patches released by Microsoft, and install them as soon as possible to enable advanced protection from latest security threats.