wmic – RPC_C_AUTHN_LEVEL_PKT_INTEGRITY

Home Forums Help wmic – RPC_C_AUTHN_LEVEL_PKT_INTEGRITY

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #539
    bboilet
    Participant

    Hello,

    I’m using check_wmi_plus since some time, without any problem.
    However, I recently applied the last Patch Tuesday – on several Windows Server 2016, and I get a message in system log (DistributedCOM 10036) for all of them, about authentication level policy to activate DCOM. The message tells to rise authentication level to at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on client.

    I supposed it was a wmic problem, and indeed as soon as I request wmi via wmic – the error pops in system log.
    I discover the recent problem with wmic and Windows 10 build 2004 in your blog, so i build the new wmic version from your site. Unfortunately, even with the new build, the issue persists.

    Does anyone around have seen the same issue in his environment ?
    Anyone having any idea on what to do to correct it ? I googled a bit without any luck for the moment.

    Thanks in advance for your answer.
    Regards,
    Baptiste.

    #540
    admin
    Keymaster

    I also noticed the error messages today. It appears that the wmic calls still work though
    The error message is
    The server-side authentication level policy does not allow the user DOMAIN\USER SID (S-SIDDETAILS) from address a.b.c.d to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

    This seems to be related to
    https://www.csoonline.com/article/3622168/how-to-test-the-impact-of-new-windows-dcom-server-authentication.html
    and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

    I don’t yet know if something will stop working at some point because of this.

    Whilst the error message does say “raise the activation authentication level … in client application” this would need someone to poke around in the wmic source to fix this.

    #541
    bboilet
    Participant

    Hello

    Thanks for your answer.
    I can confirm it still works even though it fill up the system log.

    However, I found the same article than you, and according to these and my understanding, it seems a later update (early 2022) will block connections with a level lower than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY – which seems to be a real problem for us.

    Hope someone will catch our call with wmic source code.

    #545
    meni2029
    Participant

    Hello,

    We have the same concern.

    As described here, we have manually set the registry key of RequireIntegrityActivationAuthenticationLevel = 1 on target server and the check_wmi_plus (or wmic) returns:

    [wmi/wmic.c:196:main()] ERROR: Login to remote object.
    NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

    It seems to be a real problem for us too!

    We’re using:
    – check_wmi_plus version 1.64
    – wmic package Version 4.0.0tp4-SVN-build-UNKNOWN

    Cheers

    • This reply was modified 3 months, 3 weeks ago by meni2029.
    • This reply was modified 3 months, 3 weeks ago by meni2029.
    #549
    maik.guendel
    Participant

    Hi,

    we have the same problem, our checks are spamming the windows syslogs with this message which results in faster logrotation. Customers are complaining. Is there any wmic version or a replacement which can do the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY?

    Greetings
    Maik

    #550
    bboilet
    Participant

    Based on my research, wmic seems to be a dead binary – without any planned evolution.
    I love the idea of agent less monitoring – especially the bonus of check_wmi (like sql monitoring, event log) … but I’m starting to look as NSClient++, coz I can’t stay without the last security patch much longer.
    however, I’m still searching for a replacement. Any idea will be greatly appreciated.

    #559
    admin
    Keymaster

    We are going to keep having problems with wmic unless it is fixed properly.

    Please see this post https://edcint.co.nz/checkwmiplus/long-term-fix-for-wmic-keeping-check-wmi-plus-alive/

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.