Wmi access denied after that install windows cumulative update KB5014702

Hi all,

check_wmi_plus returned the following error when our windows support team installed KB5014702 for windows servers

We try this solution and problem is fixed. I hope it help those who have similar problems.

https://support.microsoft.com/en-us/topic/june-14-2022-kb5014702-os-build-14393-5192-e60ac0e1-44a4-49f9-871f-7c25eb0e5bb1

UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user’s access level is too low. Your Authentication File might be incorrectly formatted or inaccessible. Wmic error text on the next line.
[param/loadparm.c:587:init_globals()] Initialising global parameters
[param/loadparm.c:2462:lp_load()] lp_load: refreshing parameters from /dev/null
[param/params.c:556:pm_process()] params.c:pm_process() - Processing configuration file “/dev/null”
[param/loadparm.c:2471:lp_load()] pm_process() returned Yes
[param/loadparm.c:1343:lp_add_hidden()] adding hidden service IPC$
[param/loadparm.c:1343:lp_add_hidden()] adding hidden service ADMIN$
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘sasl-DIGEST-MD5’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘winbind_samba3’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘winbind’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘name_to_ntstatus’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘fixed_challenge’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘unix’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘anonymous’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘sam’ registered
[auth/auth.c:447:auth_register()] AUTH backend ‘sam_ignoredomain’ registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘krb5’ registered
[auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem fake_gssapi_krb5 is disabled
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘schannel’ registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘spnego’ registered
[auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem gssapi_spnego is disabled
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘gssapi_krb5’ registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘gssapi_krb5_sasl’ registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend ‘ntlmssp’ registered
[lib/com/dcom/main.c:528:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:server.domain
[librpc/rpc/dcerpc_connect.c:521:continue_map_binding()] Mapped to DCERPC endpoint 135
[lib/com/dcom/main.c:413:determine_rpc_binding_continue2()] dcerpc_ndr_request_recv returned NT_STATUS_OK
[lib/com/dcom/main.c:417:determine_rpc_binding_continue2()] IObjectExporter::ServerAlive returned NT_STATUS_OK
[auth/kerberos/kerberos_util.c:236:kinit_to_ccache()] kinit for xxx@DOMAIN failed (Cannot contact any KDC for requested realm: unable to reach any KDC in realm DOMAIN)
[auth/credentials/credentials_krb5.c:300:cli_credentials_get_client_gss_creds()] Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for requested realm
[auth/gensec/gensec_gssapi.c:354:gensec_gssapi_client_start()] Cannot reach a KDC we require
[auth/gensec/gensec.c:606:gensec_start_mech()] Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
[auth/ntlmssp/ntlmssp_client.c:128:ntlmssp_client_challenge()] Got challenge flags:
[auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x62898205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[auth/ntlmssp/ntlmssp_client.c:242:ntlmssp_client_challenge()] NTLMSSP: Set final flags:
[auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

Thanks :slight_smile:

Same here. But what exactly did you do to fix it? Can’t see an obvious solution in the Link.

how we fixed it I adding to the following:

we set the value to 0 (disabled)

Registry setting to enable or disable the hardening changes

During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:

  • Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
  • Value Name: “RequireIntegrityActivationAuthenticationLevel”
  • Type: dword
  • Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled.

Note You must enter Value Data in hexadecimal format.

Important You must restart your device after setting this registry key for it to take effect.

Note Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Hey,

A new version of check_wmi_plus will be release in a few weeks along with some improvements and the wmic (the package from linux) will not be used any more, solving this issue ‘permanently’…

https://edcint.co.nz/checkwmiplus/new-wmic-client-coming-soon/

In the mean time we end up using a python replacement for the linux wmic…:
https://github.com/simply42/check_wmi_plus_wmic_dropin

There’s a ‘how to use’ section, in my case i also have:

  • Set python3 as ‘default version’ to be used (update-alternatives)
  • Installed impacket with pip
  • Adjusted permission and group of /usr/lib/python3.6/site-packages/ and /usr/lib64/python3.6/site-packages/

I hope this help

1 Like

Thanks for the info. So until March 14, 2023 resp. when a new wmic / check_wmi_plus is released at least I can continue with the old wmi. :slight_smile:

1 Like

I tried to use the latest release of check_wmi_plus downloaded from here:
https://edcint.co.nz/checkwmiplus/version-1-67-released/
But this release introduce the concept of WMIC Server…

Anybody have found a simply solution without use the WMIC Server on NAGIOS Host ?

I’m having problem after applied this workaround:

File “/bin/wmic”, line 50, in
elif args.user is not None:
AttributeError: ‘Namespace’ object has no attribute ‘user’

Hi!

I’m testing the last release of check_wmi_plus too… i didn’t found a simple solution and i’m using the wmic_server… the problem now is performance when a big number of requests is done at the same time, looks like some type of queue is done but this is related to gunicorn (used by the server daemon) and tuning is required, currently i’m running gunicorn with --workers 4 --threads 4 but in some cases i’m still have problems…

I have problems with gunicorn too…

After many requests it seems to hang.
I read:
Dec 10 08:35:07 nice[17683]: [2022-12-10 08:35:07 +0100] [17683] [CRITICAL] WORKER TIMEOUT (pid:20454)
Dec 10 08:35:08 nice[17683]: ERROR:asyncio:Fatal error: protocol.data_received() call failed.
Dec 10 08:35:08 nice[17683]: protocol: <aiowmi.protocol.Protocol object at 0x7f473c22f430>

So I don’t understand how to size gunicorn properly

I solved with --threads 10

No more performance problem

Is there a document or detailed how to to use this new version of plugin?
Is not clear to me how to install and configure wmic server on icinga…
THX

I don’t know.

But I used https://github.com/cesbit/aiowmi/tree/main/contrib/wmic_server so I used last check_wmi_plus.pl and added a parameter ‘-u’ giving username to fit the wmic_server