Windows patch KB5014692 breaks WMI for User-ID
165794
Created On 06/22/22 21:14 PM - Last Modified 07/13/23 08:53 AM
Symptom
- Error observed in the system log showing 'Access denied':
fw> show log system high userid connect 0 User-ID server monitor LDAPSRVR(vsys1) Access denied - Errors observed in useridd.log showing 'NT_STATUS_ACCESS_DENIED':
fw> less mp-log useridd.log Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1587): log query for LDAPSRVR failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1272): WMIC message from server LDAPSRVR: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
Environment
- Palo Alto Firewall
- Supported PAN-OS.
- WMI enabled on Integrated User-ID
- Microsoft Windows Server with patch KB5014692 applied
Cause
On June 14, 2022, Microsoft released patch KB5004442 for Windows Server to address the vulnerability described in CVE-2021-26414. This patch enables new 'hardened security' for WMI and is having an impact on all vendors.
Info from Microsoft: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
Resolution
- The permanent solution is to switch to WinRM as the transport protocol instead of WMI. Follow these steps to switch to WinRM: PAN-OS Administrator's Guide: Configure server monitoring using WinRM
- A temporary workaround is available until March 14, 2023. On the Windows Server, follow Microsoft's instructions to disable the hardening change. Modify the following registry value and set it to disabled:
Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: 0x00000000 means disabled. 0x00000001 means enabled.
Note: You must enter Value Data in hexadecimal format.
Important: You must restart your device after setting this registry key for it to take effect.
This registry key is scheduled to be removed by Microsoft on March 14, 2023 as part of their behavior change timeline.