Microsoft DCOM Vulnerability
DCOM is one of the most crucial services on Windows systems. However, a recent discovery of a vulnerability has caused Microsoft to implement hardening changes into DCOM. This will cause some built-in and 3rd party applications to have compatibility issues.
Sterling Gentran:Server is one of these applications. To avoid compatibility issues, you can use the DCOM Utility to locate components requiring DCOM communication.
What is DCOM?
DCOM (Distributed Component Object Model) is the Microsoft implementation of the object-oriented interface model that was originally introduced by IBM with their CORBA protocol. DCOM is a network protocol that supports interprocess communication between application components and remote objects.
Dcom offers a number of important features including geo-location agnosticism, packaging agnosticism and data aggregation. It is also designed to hide complexity of the underlying network communication. DCOM achieves this by providing a software bus that supports marshaling, proxying and stubs.
Another feature is call and access security. This feature allows developers to establish rules for which clients are allowed to connect to which servers. If a client fails to respond to a ping message from the server three times in a row, it is assumed that it has been dead and the connection is terminated. This prevents a dead server from draining the system resources of a live client. It also allows developers to create secure applications without security-specific coding or design in the client and server.
DCOM Object Model
DCOM enables client and server objects on different computers to communicate with each other over the network using a standard wire protocol. The COM run-time implements the DCOM interface standards, offering object-oriented services to both client and component and creating standard network packets containing RPCs and security information.
DCOM also includes features such as location transparency and surrogate capabilities that let clients access remote objects as if they were local. This allows developers to design application components in a modular manner and improves performance over a distributed environment.
Another benefit of DCOM is its language independence. This means that app developers can use any programming language to create a COM component and utilize a variety of tools to build the component. This enables developers to choose the most appropriate tool and programming language for each part of their application, shortening development time and improving software quality. This capability also facilitates rapid prototyping. DCOM also provides a garbage collector that destroys and reclaims completed or abandoned DCOM transactions, avoiding memory overflow on web servers.
DCOM supports security features that make it possible for software programs to work together across network boundaries. These include object activation, which allows a client to create remote objects only when they are needed, and automatic garbage collection that ensures components aren’t still hanging on after their connections have broken.
In addition, DCOM offers a variety of other important security features, including object-level authorization, which allows a server to assign access permissions to individual clients. These permissions can be modified through the dcomcnfg utility, which is available in Windows.
Microsoft recently discovered a vulnerability in the DCOM protocol that could allow attackers to bypass the server security feature and elevate privileges. As a result, the company has implemented security updates (also known as DCOM hardening) to prevent this vulnerability from being exploited. Unfortunately, these changes have impacted third-party applications that rely on DCOM for connectivity to WMI-based resources, such as Sterling Gentran:Server and ManageEngine Applications Manager.
Using DCOM, attackers can gain access to network devices. They can also use the protocol to evade defenses and discover information about systems. DCOM attacks may lead to exploitation techniques listed in the MITRE ATT&CK matrix, including evasion, discovery, and privilege escalation.
In June of 2021, Microsoft rolled out a security update that hardened authentication for its DCOM server. While it’s important to apply this patch, we recommend testing the impact on your network environment.
The change consists of a new registry value that requires an application to send a ping message to the DCOM server three times in a row. If the ping is not received, the DCOM server assumes the client is dead and decrements the component’s reference count. This prevents DCOM from wasting resources on dead connections. When the upcoming March 2023 Microsoft update rolls out, the DCOM hardening changes will be enabled by default. Changing the HKLM