Check Point response to CVE-2021-26414 - "Windows DCOM Server Security Feature Bypass"

Support Center > Search Results > SecureKnowledge Details

Check Point response to CVE-2021-26414 - "Windows DCOM Server Security Feature Bypass"

Technical Level

Solution ID	sk176148
Technical Level
Product	Identity Awareness, Quantum Security Management, Multi-Domain Security Management
Version	R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	01-Nov-2021
Last Modified	25-Dec-2022

Symptoms

After installing the required Microsoft updates documented in KB5004442 on Microsoft Windows Domain Controllers, the Check Point Security Management Server / Multi-Domain Security Management Server on the network no longer matches Identity Awareness Access Role objects as expected.
On Microsoft Windows Domain Controller (DC), Windows Event Viewer shows this log for Event 10036 DistributedCOM:
"The server-side authentication level policy does not allow the user \SID (S-1-5-21-xxxx-xxxx-xxxx-xx) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."
The Check Point Active Directory Log tool (adlog) may show this error message:
"bad credentials or firewall blocks DCOM traffic [ntstatus = 0xc0000022]"

Cause

These Check Point environments are affected by applying the Microsoft hardening changes in response to CVE-2021-26414:

Environments with AD Query configured as an Identity Source
Environments with the Identity Logging feature enabled

Check Point AD Query and Identity Logging features query the Microsoft Active Directory Security Event Logs, and then extract user and computer information that maps to an IP address. This process is based on Windows Management Instrumentation (WMI). WMI is based on DCOM/RPC.

In the Microsoft Knowledge Base article KB5004442, Microsoft released hardening changes that enforce a higher level of authentication for DCOM traffic.

The new hardening changes interfere with the Check Point AD Query operation.

Microsoft is releasing the hardening changes in these phases:

Phase	Planned Date	Description
Phase 1	June 2021 ^(*)	Hardening changes are disabled by default, but with the ability to enable them.
Phase 2	June 2022 ^(*)	Hardening changes are enabled by default, but with the ability to disable them.
Phase 3	March 2023 ^(*)	Hardening changes are enabled by default, without the ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

^(*) For exact dates, see KB5004442.

Solution

Background

Check Point recommends to use Identity Collector as the identity source instead of AD Query. For more information, see:

You can follow KB5004442 on your DC servers and use Identity Collector as the identity source because these hardening changes do not interfere with the Identity Collector operation.

To apply the Microsoft hardening and continue using AD Query and Identity Logging, you must install a hotfix.

Important Notes:

Environments with AD Query configured as an Identity Source (the process runs on the Security Gateway) - Install the fix on the Security Gateway.

While configuring AD Query in the Identity Awareness Configuration wizard, the connectivity test fails in this specific case:
1. SmartConsole runs on Windows 7.
2. There is no Access Control policy on the Security Gateway.
3. Microsoft hardening is enabled on the domain controller.
Environments with the Identity Logging feature enabled (the process runs on the Security Management) - Install the fix on the Management Server.

While configuring Identity Logging in the configuration wizard, the connectivity test fails in this specific case:
1. SmartConsole runs on Windows 7.
2. Microsoft hardening is enabled on the domain controller.

Fix Availability

The hotfix is included in Jumbo Hotfix Accumulators for these supported versions of Security Gateways / Security Management / Multi-Domain Servers:

Jumbo Hotfix Accumulator for R81.10 starting from Take 55
Jumbo Hotfix Accumulator for R81 starting from Take 60
Jumbo Hotfix Accumulator for R80.40 starting from Take 158
Jumbo Hotfix Accumulator for R80.30 starting from Take 251
Jumbo Hotfix Accumulator for R80.20 starting from Take 208

Fix Availability for Quantum Spark Appliances

The hotfix is included in these supported versions:

R80.20.40 build 992002665 (and higher) for 1500 / 1600 / 1800 appliances
R77.20.87 build 990173127 for 700 / 1400 appliances (contact Check Point Support to get it)
R77.20.81 Build 990172625 for 1200R appliances (contact Check Point Support to get it)

Important Notes for Environments where the Hotfix is not Installed

The setting documented in KB5004442 does not remove the alerts from the domain controller, but it does restore the traffic flow.
If you do not enable the new setting documented in KB5004442 (while this is still possible), you can continue working with AD Query.
This makes your Windows server vulnerable to CVE-2021-26414.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating