Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Professional Edition
Description
On 14th of March 2023 Microsoft is changing its DCOM hardening policy which when is set to Microsoft guidance will break the WMI poller.
Information is here KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) - Microsoft Support
Currently we are able to bypass this issue by changing the settings on the windows servers as below, but this becomes obsolete on 14th of March 2023
- Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
- Value Name: "RequireIntegrityActivationAuthenticationLevel"
- Type: dword
- Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.
I'm unsure what if anything can be done inside Observium to handle this issue.
Attachments
Activity
Since revision r12629 we maintain alternative wmic command as python based script.
It's worked as fully compatible replacement for old (unmaintained) binary.
But I not know how it compatible with latest versions of Windows.
If you can check it by self.
Script placed in main observium repository in path: /opt/observium/scripts/wmic
Good Afternoon,
I am a frequnt user of Observium but the lack of WMI has started to become a really issue, so I have took the time to find a workable solution to this issue.
I have managed to get this working, not sure if this is going to help the Observium team, but anyone else is welcome to copy this implementation if they so wish.
The approach I took was to take the source code from openvas-smb and changed line 508 in lib/com/dcom/main.c to read as follows:
char *bindstr = talloc_asprintf(c, "ncacn_ip_tcp:%s[sign]", server);
I then compiled the source and copied the wmic binary generated to /usr/bin.
I maintained the original winexe binary provided by Observium in there tar.gz archive.
I am happy to upload the pre-compiled binary if Observium want me to or if they would like me to send it privately for them to test that is also something I can do.
The source code I amended and compiled is licensed under GNU Public License 2 or later and can be found at the github link below.
https://github.com/greenbone/openvas-smb
Thanks
Chris
(Just your totally ordinary autistic server nerd)
General questions and device support can be discussed in our Discord channel, click here to join.
Please make and attach additional information about the device:
- full snmp dump from device:
snmpwalk -v2c -c <community> -t 3 -Cc --hexOutputLength=0 -ObentxU <hostname> .1 > myagent.snmpwalksnmpwalk -v2c -c <community> -t 3 -Cc --hexOutputLength=0 -ObentxU <hostname> .1.3.6.1.4.1 >> myagent.snmpwalkIf device not support SNMP version 2c, replace -v2c with -v1.
- If you have problems with discovery or poller processes, please do and attach these debugs:
./discovery.php -d -h <device>./poller.php -d -h <device>
- additionally attach device and/or vendor specific MIB files
This comment is added automatically.
Trouble with binary version of wmic - not possible to use on systems with ARM based processors.
That why we will not do any improvements for this binary.