question

MirandaVeracruz avatar image
0 Votes"
MirandaVeracruz asked MirandaVeracruz commented

CVE-2021-26414 breaks Failover Cluster Manager

Hi Community,

in order to test mitigations for CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) I just recognized that it broke failover cluster manager after applying neccesary june-patches and registry-key RequireIntegrityActivationAuthenticationLevel with value 0x00000001 (which means enabled).

Now I'm getting this error:

118276-image.png



In the FailoverClustering-Manager diagnostic-log I have the following entry:

 An error occurred connecting to the cluster 'CLUSTER01'. - System.ApplicationException: An error occurred trying to display the cluster information. ---> System.AggregateException: One or more errors occurred. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
    at System.Management.ManagementScope.InitializeGuts(Object o)
    at System.Management.ManagementScope.Initialize()
    at Microsoft.FailoverClusters.UI.Common.WmiHelper.GetWmiConnection(Tuple`2 connection)
    at MS.Internal.ServerClusters.Management.Utilities.<>c__DisplayClass13_0`1.<VerifyUserIsAdminOnNodes>b__0(T item)
    at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.<ForWorker>b__1()
    at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
    at System.Threading.Tasks.Task.<>c__DisplayClass176_0.<ExecuteSelfReplicating>b__0(Object )
    --- End of inner exception stack trace ---
    at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
    at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
    at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Func`4 bodyWithLocal, Func`1 localInit, Action`1 localFinally)
    at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Action`3 bodyWithStateAndIndex, Func`4 bodyWithStateAndLocal, Func`5 bodyWithEverything, Func`1 localInit, Action`1 localFinally)
    at System.Threading.Tasks.Parallel.ForEach[TSource](IEnumerable`1 source, Action`1 body)
    at MS.Internal.ServerClusters.Management.Utilities.VerifyUserIsAdminOnNodes[T](IEnumerable`1 items, String clusterName, Func`2 getNodeName)
    at MS.Internal.ServerClusters.Management.Utilities.VerifyUserIsAdminOnNodes(Cluster cluster)
    at MS.Internal.ServerClusters.Management.ClusterContext.CommonConstruct()
    --- End of inner exception stack trace ---
    
 Server stack trace: 
    at MS.Internal.ServerClusters.Management.ClusterContext.CommonConstruct()
    at MS.Internal.ServerClusters.Management.ClusterContext..ctor(String clusterName)
    at MS.Internal.ServerClusters.Management.ClusterConnectionFactory.AttemptClusterConnect(UiUpdate uiUpdate, ClusterConnectSettings connectSettings)
    at MS.Internal.ServerClusters.Management.CluadminWaitDialog.BackgroundOperation[I,O](BackgroundWaitDialogOperation`2 backgroundOperation, I data)
    at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
    
 Exception rethrown at [0]: 
    at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
    at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
    at MS.Internal.ServerClusters.Management.CluadminWaitDialog.InternalBackgroundOperation`2.EndInvoke(IAsyncResult result)
    at MS.Internal.ServerClusters.Management.CluadminWaitDialog.ShowDialog[I,O](INotifyUser notifyUser, BackgroundWaitDialogOperation`2 backgroundOperation, I data)
    at MS.Internal.ServerClusters.Management.ClusterConnectionFactory.ConnectToCluster(ClusterConnectSettings connectSettings, INotifyUser notifyUser, String initialMessage)
    at MS.Internal.ServerClusters.Management.ClusterConnectionFactory.ConnectToCluster(ConnectedClusterData connectionData, INotifyUser notifyUser, ConnectionType setting)
    at MS.Internal.ServerClusters.Management.RootContext.DoConnect(INotifyUser notifyUser, String firstChoice)

When I roll back the registry-key to 0x00000000 (followed by a reboot) everythings back to normal and Failover Cluster Manager is working fine. Because these mitigations will be hard enforced in early 2022 I think this need to be fixed very urgent!

Cheers
Miranda

windows-server-2019
image.png (12.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

got the following response from Microsoft:

• It is a known issue that Mitigation for CVE-2021-26414 causes the Access Denied error in FCM you are experiencing. This is experienced in both Windows Server 2016 and 2019 (probably in 2012 R2 as well).
• The fix for this issue is contained in the July 2021 - C (third week of the month) monthly update.
• For Windows Server 2019 the KB has been released (below). In the following days it will be released for Windows Server 2016 as well.
o July 20, 2021-KB5004308 (OS Build 17763.2090) Preview (microsoft.com)
• We have successfully tested the issue internally and for us it was resolved by applying the above mentioned update.
• The C update (either with Preview or not) is not available for WSUS, but the fixes are contained on the next months B update (second week of the month), which is available to install via WSUS, i.e. you can get it via WSUS in the second week of August 2021.
o Same for Windows Server 2016 (eventually 2012 R2)

0 Votes 0 ·
Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

Try installing all other updates.
In case you have access to a Windows 10 PC, open Feedback Hub app and under category select Windows Server and submit a bug report including all relevant log files.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YuhanDeng-MSFT avatar image
0 Votes"
YuhanDeng-MSFT answered

Hi Miranda,
Thanks for your feedback.
Please try installing the new patch and see what happens.

Best regards,
Danny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.