check_wmi_plus.pl

Engage with the community of users including those using the open source solutions.
Includes Nagios Core, Plugins, and NCPA

check_wmi_plus.pl

Postby delboy1966 » Thu Sep 30, 2021 8:09 am

This might be a longshot, but here goes.

We use check_wmi_plus.pl to do checks on our Windows estate, which has worked well up until now.
After a Windows update we are seeing lots of eventlog message's relating to DCOM account permissions.

We opened a case with Microsoft, and the upshot is we need to change the authentication method for the check, however, I don't see an option to do this in check_wmi_plus.pl.
Wondering if anyone else has seen this issue and if they found a way of changing the authentication method?

Here is what we got back from Microsoft.

> KB5005568 (for WS2019) introduced new event logging, with event ID 10036, to allow customers to easily identify if they have any applications/components encountering issues because of the authentication level in their environments during testing, without having to live debug the said applications.

> As the error message that is being logged (subject of the case) suggests, you have Nagios client application trying to activate the DCOM server on this machine with a lower authentication level.

> This is all due to the hardening behavior that will be changed in Q1 2022 so that, by default, any calls with the authentication level below RPC_C_AUTHN_LEVEL_PKT_INTEGRITY will be rejected by the OS (not the application).

> Some applications may have implemented a mechanism (on the client-side) which detects if a call with a lower authentication level fails and then initiates a new one with a higher level. This means that you will see some 10036 events logged, but the application itself is actually working fine, without causing any problems.

> The idea of this event error is to track down the applications that are not using the more secure authentication levels and to reach out to your internal teams or 3rd party vendor/developer maintaining them.

> P.S: There are 7 authentication levels in total, from 0 to 6 and the only one that should still be used to avoid any issues is levels 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).
Authentication-Level Constants (Rpcdce.h) - Win32 apps | Microsoft Docs


Thanks in advance
delboy1966
 
Posts: 92
Joined: Thu Oct 22, 2015 5:26 am

Re: check_wmi_plus.pl

Postby meni2029 » Fri Oct 01, 2021 11:46 am

Hi, not found a solution. But for your information the issue is also reported here: https://edcint.co.nz/checkwmiplus/forums/topic/wmic-rpc_c_authn_level_pkt_integrity/
meni2029
 
Posts: 1
Joined: Thu Sep 30, 2021 7:21 am

Re: check_wmi_plus.pl

Postby alienone » Thu Oct 07, 2021 4:44 am

Hi
We got the same issue with this but have not yet find any solution.
alienone
 
Posts: 11
Joined: Tue May 06, 2014 9:05 am

Re: check_wmi_plus.pl

Postby mcapra » Thu Oct 07, 2021 8:24 am

I don't have a lab machine to crack open wmic and see what it does or does not support, though this definitely seems like it would be a wmic limitation.

impacket definitely supports this, and I'd started on a Python based WMI checks plugin a while ago but never finished it:
https://github.com/mcapra/nagios-check_ ... eck_wmi.py
Former Nagios employee
https://www.mcapra.com/
User avatar
mcapra
 
Posts: 3729
Joined: Thu May 05, 2016 3:54 pm

Re: check_wmi_plus.pl

Postby delboy1966 » Wed Oct 13, 2021 3:35 am

HI Guys

Sorry for the late reply, i've been away.

I did find that check_wmi_plus.pl allows you to include additional arguments to pass to wmic, by using -extrawmicargs.
One option you can pass is --use-security-mechanisms, where you can specify the level to use.
So, I added:

--extrawmicargs "--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY"

To the commands in commands.cfg.

Running the check_wmi_plus.pl command from command line with the debug option shows it being sent.

QUERY: /usr/local/bin/wmic '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '-U' 'USER%PASS' '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '--namespace' 'root/cimv2' '//10.48.86.34' 'select Name,CommandLine,ExecutablePath from Win32_Process'

But doesn't seem to work as the eventlogs are still full of the errors.

Tony
delboy1966
 
Posts: 92
Joined: Thu Oct 22, 2015 5:26 am

Re: check_wmi_plus.pl

Postby rudi.lotze » Mon Oct 18, 2021 4:47 am

Bump - anyone had any luck getting this issue resolved?
rudi.lotze
 
Posts: 3
Joined: Fri Oct 08, 2021 9:17 am

Re: check_wmi_plus.pl

Postby ebinjast » Fri Oct 22, 2021 3:12 am

I found a wmic on github (not the original) and it looks like it uses code from the samba project. https://github.com/astbss/wmic
Someone who understands a little of python might be able to find something that can be changed in here to raise the rpc auth level and then recompile it.

Should the rpc implementation in samba not support to raise the auth level, it would probably break some other linux -> windows stuff as well.
ebinjast
 
Posts: 1
Joined: Wed Apr 08, 2020 3:07 am

Re: check_wmi_plus.pl

Postby amoss24 » Tue Nov 23, 2021 5:56 pm

I'll add my two cents - we've also started noticing this issue on Windows servers as we update them.

Seems like there is some time to figure out a solution based on the timeline from Microsoft.

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

May have to consider switching to NCPA perhaps - there goes my agentless monitoring!
amoss24
 
Posts: 12
Joined: Thu Dec 17, 2020 1:19 pm


Return to Community Support

Who is online

Users browsing this forum: No registered users and 7 guests