Microsoft’s June security update is light on details but heavy on possible long-term impact to network environments. It updates a patch fixing an issue for a DCOM Server security feature bypass (CVE-2021-26414). What exactly is it fixing? A Japanese security bulletin offers some hints.
According to the bulletin, an attacker would first exploit a vulnerability by directing a DCOM client to connect to a specially crafted server in some way, typically by sending a phishing email to a user to gain a hold on the system. Next, the attacker will use that information to access and then compromise the DCOM server.
The patch fixes and strengthens the authentication used between DCOM clients and servers. Specifically, it phases in stronger authentication (
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) on the DCOM client. This level of integrity ensures that none of the data transferred between the client and server has been modified.
What is DCOM?
Distributed Component Object Model (DCOM) is a Microsoft technology for communication between software components on networked computers. Many of us don’t truly understand it, nor can we diagnose DCOM errors in our event logs that don’t appear to have major impact to our networks. This technology is a protocol for exposing application objects using remote procedure calls (RPCs). As a result of CVE-2021-26414, changes are needed for RPCs to harden them to ensure they are protected against a “security feature bypass” vulnerability.