Eric's Technical Outlet

Learning the hard way so you don't have to

“Incorrect Function” and “Encryption Oracle Remediation” Errors

Starting with the April 2018 Windows security patches, Microsoft began cleaning up a remote execution vulnerability in CredSSP. Unfortunately, truly fixing it requires that patched systems reject CredSSP communications from unpatched systems. Developers control which authentication methods their applications use, and they won’t necessarily make you aware. So far, I have seen problems in Remote Desktop Connection and System Center products.

Symptoms

Most versions of MSTSC have been updated with an explicit message telling you what’s wrong:

The text reads:

An authentication error has occurred.

The function requested is not supported.

Remote computer: <<computername>>

This could be due to CredSSP encryption oracle remediation.

For more information, see https://go.microsoft.com/fwlink/?linkid=86660

Older RDP clients will not have the complete text:

The text reads:

An authentication error has occurred.

The function requested is not supported

Remote computer: <<computer name>>

A patched System Center Virtual Machine Manager host will be unable to communicate with an unpatched system, giving the error:

Error (2912)
An internal error has occurred trying to contact the svhv02.siron.int server: : .

WinRM: URL: [http://svhv02.siron.int:5985], Verb: [INVOKE], Method: [GetVersion], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/scvmm/AgentManagement]

The request is not supported (0x80070032)

Recommended Action
Check that WS-Management service is installed and running on server svhv02.siron.int. For more information use the command “winrm helpmsg hresult”. If svhv02.siron.int is a host/library/update server or a PXE server role then ensure that VMM agent is installed and running. Refer to http://support.microsoft.com/kb/2742275 for more details.

These are the problems that I ran into. Other affected applications will exhibit different symptoms. Notice that all of these errors report a request or a function as “not supported”. That might help you to narrow problems down for any applications that use CredSSP under the hood.

 

Cause

In April, a security patch was deployed that closed the security problem. Additionally, the patch created a local Group Policy item to control whether or not it would continue to communicate with unpatched systems. In the April update, that was set to allow communications with vulnerable systems. In the May security update, that GPO was automatically changed to require remote systems to be patched.

So, if any host updated to any level prior to the April updates attempts to open a CredSSP channel to any host patched to the May level or beyond, or vice versa, the connection will be refused.

Resolution

The correction seems obvious: keep your systems patched. However, you’ll also need to update your deployment images. If you deploy a fresh image to a remote system from a pre-patched ISO or other media (like WDS), you will not be able to remote into it. So, besides patching, you need to take some of the following approaches:

  • Update the images that you use for deployment. How you do that depends on your deployment strategy. I use WDS with WIMs, so I employ an offline patching script: https://www.altaro.com/hyper-v/free-powershell-script-use-wsus-update-installation-media-hyper-v-templates/. That script also works for VHDXs, in case you template that way.
  • Use WDS or some other technique (such as SCCM or tools provided in the Windows ADK) to deploy new systems into organizational units with GPOs that automatically update.
  • Use the local console or an out-of-band management tool to connect to new systems.
  • I would strongly advise against it, but you could set up a “deployment management” system with a GPO that allows CredSSP communications with vulnerable systems. Doing so opens up that management system to attacks, though, and then those attacks could spread to any newly deployed system. You could mitigate your risks with a careful defense-in-depth approach, but only patching eliminates the risk.

More Information

For more information, including the related Group Policy item, review Microsoft’s documentation on CVE-2018-0886.

Advertisements

Using PowerShell for Consistent, Repeatable Windows Features Selection

Deploying Windows Servers can be a pain, even when you’ve got a templating system. How do I know that the template matches my current requirements? What do I know now that I didn’t know when that template was built? How do I easily manage the one-off differences between that template and the needs of this new system?

It’s even worse when you don’t have a template system or have overriding reasons to not to use one. You’re stuck building each new server from scratch, checking those boxes like it’s your first time.

Or, are you?

If you’re looking for a fast way to save or copy the list of selected Windows Server features and roles and apply them to a new system, PowerShell can easily help.

Read more of this post

Microsoft Storage Spaces vs. AMD SB950 RAID

This is a quick comparison of a parity Storage Space vs. RAID-5 on the same system.

Read more of this post

WiX: Add Browse for File Capability to Installer

Do you want to add the ability for a user to browse for a file to your WiX installer project? The problem is fairly straightforward, and according to my searches, a lot of people have solved it. Unfortunately, no one seems to want to publish it. Here’s how I solved it.

Also, if you’re looking for a way to have an external custom action update a text box, that’s here, too.

Read more of this post

PowerShell: Find Local Applications Blocked By a Remote Firewall

I’m sure we’ve all been there. You get an application that a vendor wrote and tested on a single, unfirewalled subnet. They sell it to you and you put it in your higher-security, multi-subnetted, firewalled environment, and it all falls down and goes boom. The vendor swears they’ve given you all the firewall information and then you go around-and-around for a few days, pulling network traces, etc.

So, I have thrown together a little script suite that should help you get to the bottom of it a little more quickly. Of course, a lot of times, you open one port only to discover that there is another port that will be needed that you couldn’t detect until the first one was open. Not much I can do about that in a PowerShell script, but watch the Altaro blog because I plan to demonstrate how to set up a test environment in Hyper-V to do this whole thing in a few minutes as opposed to the hours, or even weeks, it can sometimes take otherwise.

Read more of this post

Review of Altaro Hyper-V Backup v5

On January 26th, 2015, Altaro released version 5 of their flagship backup application for Hyper-V. I’ve had it running in my test lab for a while now and am pleased to report that this is a grand step forward. Read more of this post

New Book on Hyper-V Security

My second book is now available for purchase. Its name is Hyper-V Security. It’s a short-form book with only eight chapters. The first six are related to the host, the hypervisor, and the guests. The final two chapters were written by Andrew Syrewicze and cover security in System Center Virtual Machine Manager.

Read more of this post

PowerShell: Determine if an EXE is 32- or 64-bit, and Other Tricks

So, I needed to find out if a particular EXE was 32-bit or 64-bit. I found a lot of articles pointing to downloadable tools to do this, but I didn’t want another every-three-months-or-so tool to lose track of. Then I found a few confusing articles that sort of talked about how to do it programmatically that mostly managed to not really say how to do it programmatically. I found my way to Microsoft’s documentation on the executable standard and just rolled my own. In the process, I tossed in a few little tricks to go beyond just determining bitness.

Read more of this post

Video Course Giveaway: Enter for a chance to win a free copy of my Hyper-V cluster video series

For the contest we have 4 copies of Building and Managing a Virtual Environment with Hyper-V Server 2012 R2 [Video] to be given away to 4 lucky winners.

How to enter:

To enter to win your copy of this video course, all you need to do is come up with a comment below highlighting the reason “why you would like to win this video course”.

Duration of the contest & selection of winners:

The contest is valid for 1 week from September 22nd, 2014 to September 29th, 2014, and is open to everyone. Winners will be selected on the basis of the contents of their posted comment.

About the video course:

Video Series Image

Building and Managing a Virtual Environment with Hyper-V Server 2012 R2 is a video series designed to present the complexities of Hyper-V and failover cluster configuration in easily digestible chunks. The segments feature demonstrations of the concepts explained in the video, being executed on an actual Hyper-V cluster.

You’ll begin with the basics of setting up your nodes, gathering them into the cluster, and working with your shared storage system. Then you’ll get an in-depth tour of managing your systems using the built-in graphical tools and PowerShell cmdlets. With that foundation, you’ll learn advanced concepts of virtual machine migration and cluster protection. You’ll also discover detailed maintenance steps, such as how Cluster-Aware Updating keeps your nodes patched without impacting virtual machines.

Building and Managing a Virtual Environment with Hyper-V Server 2012 R2 will present you with the knowledge and examples you need to successfully design and deploy your own Hyper-V clusters.

Video Series on Hyper-V Clustering

I am happy to announce that I have authored and narrated a new screencast series on clustering Hyper-V Server 2012 R2. It’s named “Building and Managing a Virtual Environment with Hyper-V Server 2012 R2 ” and is available directly from Packt Publishing.

Read more of this post