Bienvenido a la comunidad de Pandora FMS › Forums › Community support › wmic – RPC_C_AUTHN_LEVEL_PKT_INTEGRITY problem – KB5004442
-
wmic – RPC_C_AUTHN_LEVEL_PKT_INTEGRITY problem – KB5004442
Posted by linspec9078 on noviembre 3, 2021 at 15:49Hi all,
this problem could affect quite a few pandora installations.After security update KB5004442, Microsoft introduced some Hardening changes in DCOM.
Today the hardening is optional but after Q2 2022 it will be enabled by default and with no ability to disable it.
The problem is that the wmic tool shipped with pandora ISO seems to be a dead binary, without any planned evolution, and it doesn’t with the hardening enable.
Some one found an alternative solution or know how Pandora project is going to manage this situation?
Some links for further informations:
– https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
– https://edcint.co.nz/checkwmiplus/forums/topic/wmic-rpc_c_authn_level_pkt_integrity/Thank you
linspec9078 replied 2 years, 6 months ago 4 Members · 23 Replies -
23 Replies
-
-
::
Hello,
A few months ago we updated the wmic binary to include the latest security changes made by Windows.
https://firefly.artica.es/centos7/wmic-1.4-1.el7.x86_64.rpm
With this version you should be able to continue your remote wmi monitoring operation without any problems.
Kind regards
-
-
-
-
-
-
::
Hi
To fix the issue, it is neccesary to install a new binary ( pandorawmic ) . You can install it from https://firefly.artica.es/centos8/pandorawmic-1.0.0-1.x86_64.rpm .
After you have installed the new binary, it is necessary to change the wmi_client binary in your pandora_server.conf
https://pandorafms.com/manual/en/documentation/02_installation/04_configuration?s%5B%5D=pandorawmic#wmi_client
After finishing the installation and updating pandora_server.conf, you should restart the Pandora FMS server service to apply the changes.
https://pandorafms.com/manual/en/faq/start#what_are_the_differences_between_wmic_and_pandorawmic
Installation:
https://pandorafms.com/manual/en/documentation/02_installation/01_installing?s%5B%5D=pandorawmic
Kind regards
-
-
-
::
Hello Mario,
using the Update Manager Online in Web Console, while updating from 759 to 760, at the end of the process it shows the message “Signatures does not match”, as you can see from this image:
In the footer it shows “Pandora FMS v7.0NG.760 – OUM 760 – MR 52” .
Can i consider the update from 759 to 760 sucseeded anyway, an then can i procede to update to version 761?
Thank you
-
-
-
-
-
-
-
::
Hi,
Can you check if you have the following token enabled, if so, disable it and try again.
-
::
Hello all,
with the old wmic i used the parameter “–option=’client ntlmv2 auth’=Yes” . Wich autentication schema is used by default from new pandorawmi tool ?
Thank youHello all,
with the old wmic i used the parameter “–option=’client ntlmv2 auth’=Yes” . Wich autentication schema is used by default from new pandorawmi tool ?
Thank you
-
-
::
Yes, with pandorawmic the use of NTLMv1 is restricted to SMB version 1 only if NTLMv2 authentication failed or SMB Extended Security is not supported.
We have been checking about kerberos authentication and it is true that the new library used in pandorawmic supports this authentication, but it is not included in the new binary. We are going to check it to include it in next versions.
Thanks
Kind regards -
-
::
Hi All,
is possible that pandorawmic is creating a lot of subdirs like this one under /tmp ?
ls -l /tmp/_MEI77SShW/
totale 10788
-rwx—— 1 root root 786953 6 giu 09.49 base_library.zip
-rwx—— 1 root root 856432 6 giu 09.49 _cffi_backend.cpython-36m-x86_64-linux-gnu.so
drwx—— 8 root root 4096 6 giu 09.49 Cryptodome
drwx—— 2 root root 4096 6 giu 09.49 impacket-0.9.24.dist-info
-rwx—— 1 root root 68192 6 giu 09.49 libbz2.so.1
-rwx—— 1 root root 15856 6 giu 09.49 libcom_err.so.2
-rwx—— 1 root root 2521144 6 giu 09.49 libcrypto.so.10
drwx—— 2 root root 4096 6 giu 09.49 lib-dynload
-rwx—— 1 root root 173320 6 giu 09.49 libexpat.so.1
-rwx—— 1 root root 63088 6 giu 09.49 libffi-d58a691e.so.8.1.0
-rwx—— 1 root root 32328 6 giu 09.49 libffi.so.6
-rwx—— 1 root root 320720 6 giu 09.49 libgssapi_krb5.so.2
-rwx—— 1 root root 210784 6 giu 09.49 libk5crypto.so.3
-rwx—— 1 root root 15688 6 giu 09.49 libkeyutils.so.1
-rwx—— 1 root root 967840 6 giu 09.49 libkrb5.so.3
-rwx—— 1 root root 67104 6 giu 09.49 libkrb5support.so.0
-rwx—— 1 root root 157424 6 giu 09.49 liblzma.so.5
-rwx—— 1 root root 402384 6 giu 09.49 libpcre.so.1
-rwx—— 1 root root 3144192 6 giu 09.49 libpython3.6m.so.1.0
-rwx—— 1 root root 285136 6 giu 09.49 libreadline.so.6
-rwx—— 1 root root 155744 6 giu 09.49 libselinux.so.1
-rwx—— 1 root root 470376 6 giu 09.49 libssl.so.10
-rwx—— 1 root root 174576 6 giu 09.49 libtinfo.so.5
-rwx—— 1 root root 90176 6 giu 09.49 libz.so.1
drwx—— 2 root root 4096 6 giu 09.49 setuptools-59.6.0.dist-info
drwx—— 2 root root 4096 6 giu 09.49 wheel-0.37.1.dist-info
-
::
Hi
It´s true that this folder is created by python, but we have not this files in /tmp folder of our testing environment. Do you have wmi checks not working at this moment in Pandora Server or failing some times with timeouts problems?
We have seen in other occasions with compiled files that can store these files when they do not finish the execution correctly.
Kind regards
-