Support Center > Search Results > SecureKnowledge Details
Check Point response to CVE-2021-26414 - "Windows DCOM Server Security Feature Bypass" Technical Level
Symptoms
  • After installing the required Microsoft updates documented in KB5004442 on Microsoft Windows Domain Controllers, the Check Point Security Management Server / Multi-Domain Security Management Server on the network no longer matches Identity Awareness Access Role objects as expected.

  • On Microsoft Windows Domain Controller (DC), Windows Event Viewer shows this log:

    "The server-side authentication level policy does not allow the user \SID (S-1-5-21-xxxx-xxxx-xxxx-xx) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."
  • The Check Point Active Directory Log tool (adlog) may show this error message:

    "bad credentials or firewall blocks DCOM traffic [ntstatus = 0xc0000022]"
Cause

These Check Point environments are affected by applying the Microsoft hardening changes in response to CVE-2021-26414:

  • Environments with AD Query configured as an Identity Source
  • Environments with the Identity Logging feature enabled

Check Point AD Query and Identity Logging features query the Microsoft Active Directory Security Event Logs, and then extract user and computer information that maps to an IP address. This process is based on Windows Management Instrumentation (WMI). WMI is based on DCOM/RPC.

In the Microsoft Knowledge Base article KB5004442, Microsoft released hardening changes that enforce a higher level of authentication for DCOM traffic.

The new hardening changes interfere with the Check Point AD Query operation.

Microsoft is releasing the hardening changes in these phases:

Phase Planned Date Description
Phase 1 June 2021 (*)

Hardening changes are disabled by default, but with the ability to enable them.

Phase 2 June 2022 (*)

Hardening changes are enabled by default, but with the ability to disable them.

Phase 3

March 2023 (*)

Hardening changes are enabled by default, without the ability to disable them.

By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

(*) For exact dates, see KB5004442.


Solution

Check Point recommends to use Identity Collector as the identity source instead of AD Query. For more information, see:

You can follow KB5004442 on your DC servers and use Identity Collector as the identity source because these hardening changes do not interfere with the Identity Collector operation.

To apply the Microsoft hardening and continue using AD Query and Identity Logging, you must install a hotfix.

Important notes:

  • Environments with AD Query configured as an Identity Source (the process runs on the Security Gateway) - Install the fix on the Security Gateway. 
  • Environments with the Identity Logging feature enabled (the process runs on the Security Management) – Install the fix on the Security Management.

The hotfix is included in Jumbo Hotfix Accumulators for these supported versions of Security Gateways / Security Management / Multi-Domain Servers:

Note for Quantum Spark appliances:
For Quantum Spark appliances with Gaia Embedded OS, the fix is available in R80.20.40 build 992002665 for 1500/1600/1800 appliances and in R77.20.87 build 990173127 for 700/1400 appliances..

Important Notes (for environments where the hotfix is not installed):

  1. The setting documented in KB5004442 does not remove the alerts from the DC Server, but it does restore traffic flow.
  2. If you do not enable the new setting documented in KB5004442 (while this is still possible), you can continue working with AD Query.
    This makes your Windows server vulnerable to CVE-2021-26414.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment