KB5004442: Windows DCOM Server Security Feature Bypass Registry Check (CVE-2021-26414)

2023-01-2500:00:00

www.tenable.com

220

7.1 High

AI Score

Confidence

Low

JSON

The remote Windows DCOM Server may be in a vulnerable state to exploitation by having the HKLM\Software\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel registry value set to 0. Hardening changes in DCOM were required for CVE-2021-26414 and were implemented in 2 phases on June 8, 2021 and June 14, 2022 as described in KB5004442. Without the March 2023 Microsoft upgrade (phase 3), DCOM hardening can be manually disabled by setting this registry value to 0 on the server side to help mitigate compatibility issues. This presents a vulnerability risk and should be avoided. With the March 2023 update, DCOM hardening is enabled by default, and is no longer affected by the registry setting.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(170626);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/22");

  script_cve_id("CVE-2021-26414");

  script_name(english:"KB5004442: Windows DCOM Server Security Feature Bypass Registry Check (CVE-2021-26414)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host DCOM hardening measure is disabled.");
  script_set_attribute(attribute:"description", value:
"The remote Windows DCOM Server may be in a vulnerable state to exploitation by having the 
HKLM\Software\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel registry value set 
to 0. Hardening changes in DCOM were required for CVE-2021-26414 and were implemented in 2 phases on 
June 8, 2021 and June 14, 2022 as described in KB5004442. Without the March 2023 Microsoft upgrade (phase 3), 
DCOM hardening can be manually disabled by setting this registry value to 0 on the server side to help 
mitigate compatibility issues. This presents a vulnerability risk and should be avoided. With the March 2023 
update, DCOM hardening is enabled by default, and is no longer affected by the registry setting.");
  # https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ffd83ea3");
  script_set_attribute(attribute:"solution", value:
"Update the DWORD registry value RequireIntegrityActivationAuthenticationLevel under: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\AppCompat to 1 to enable DCOM hardening");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-26414");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/06/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/06/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

var latest_update = get_kb_item_or_exit("smb_rollup/latest");
var min_update    = '2023.03';

# Registry key not required if patch level >= March 2023.
var update_seg = split(latest_update, sep:'_', keep:FALSE);
var mnth = update_seg[0];
update_seg[0]  = update_seg[1];
update_seg[1]  = mnth;
var latest_date = join(update_seg, sep:'.');
if (ver_compare(ver:latest_date, fix:min_update, strict:FALSE) >= 0)
  audit(AUDIT_HOST_NOT, 'affected');

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) 
  audit(AUDIT_SHARE_FAIL, share);

hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
var key = "SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel";
var value = get_registry_value(handle:hklm, item:key);
RegCloseKey(handle:hklm);

if (!isnull(value) && value == 0)
{
  var report = '\n Nessus detected the following insecure registry key configuration:\n';
  report += '    - ' + key + ' is present in the registry with value ' + value + '\n';

  hotfix_add_report(report);

  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26414

www.nessus.org/u?ffd83ea3

7.1 High

AI Score

Confidence

Low

JSON

Related for WINDOWS_DCOM_HARDENING_REG_CHECK.NASL