Installing Microsoft's June 8th 2021 NTLM Elevation of Privilege Vulnerability patches may break the User-ID Agent's connection to Domain Controller(s)

Installing Microsoft's June 8th 2021 NTLM Elevation of Privilege Vulnerability patches may break the User-ID Agent's connection to Domain Controller(s)

73293
Created On 06/10/21 18:46 PM - Last Modified 10/28/21 15:58 PM


Symptom


Upon installing the Microsoft patches related to CVE-2021-31958 on Windows Server(s) hosting either the User-ID agent or the Domain Controller(s) being monitored by the User-ID agent, (ie. installing the patch on one but not the other), the User-ID Agent can no longer connect to the Domain Controller(s) it is monitoring.

UaDebug.log on User-ID Agent shows the following error (Log is seen when "Debug" level is enabled on UaDebug.log).

06/09/21 12:39:41:509[Debug 123]: OpenEventLog failed for DC abc.local(100.1.1.1) - Access is denied. <<<<<<<<<<<<<<<


Environment


User-ID Agent

Cause


On June 8th 2021, Microsoft released a set of patches in response to CVE-2021-31958 as part of its monthly patch release. One of the known issues in this update is: 

"After installing this or later updates, apps accessing event logs on remote devices using certain legacy Event Logging APIs might be unable to connect. This issue might occur if the local or remote has not yet installed updates released June 8, 2021 or later."

The User-ID Agent uses legacy API OpenEventLog to access event logs on Domain Controller. Because of this, when a Windows server that's hosting the User-ID agent is patched with updates released June 8, 2021 (KB5003671) or later, and the Domain Controller(s) that it is monitoring is not (or vise versa), the User-ID agent may no longer be able to connect to the Domain controller(s).

This issue does NOT happen if BOTH User-ID agent server and Domain Controller servers are patched with patches related to CVE-2021-31958 or later.

Resolution


To resolve this issue, apply one of the following workarounds:

1. Rollback the patches on this list that had been applied (OR)
2. Install the relevant patches on this list on BOTH the servers hosting the User-ID agent and the Domain Controller(s) it is monitoring.


Additional Information:

A list of all affected KB is listed below. The list can also be found on this Microsoft page: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31958

KB5003671
KB5003681
KB5003697
KB5003696
KB5003667
KB5003694
KB5003661
KB5003695
KB5003638
KB5003687
KB5003635
KB5003646
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vcg&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail