Operational Defect Database

BugZero found this defect 529 days ago.

Veeam | kb4376

Access to Hyper-V or Veeam B&R Components Fails After DCOM Hardening is Enabled

Last update date:

12/14/2023

Affected products:

Veeam Backup & Replication

Veeam ONE

Veeam Agent for Microsoft Windows

Veeam Management Pack for Microsoft System Center

Veeam Recovery Orchestrator

Affected releases:

ALL

Fixed releases:

No fixed releases provided.

Description:

Challenge

After June 14, 2022, DCOM connections to Hyper-V, Veeam Backup & Replication, and other Windows-based servers may be impacted by the DCOM hardening policy activated after the deployment of the Microsoft CVE-2021-26414 security update. Below are examples of errors that may be shown by Veeam products affected by this: This list of examples errors is not exhaustive, others may exist. It is critical to focus on checking for Windows Event ID 10036. Veeam Backup & Replication — operations involving Hyper-V infrastructure may fail with the error: Failed to call RPC function 'HviCreateVmRecoverySnapshot' Failed to connect to cluster <clustername> Failed to create Hyper-V Cluster Wmi utils: Access denied or timeout expired. Check if you have local administrator privileges on computer '<clustername>'. Possible reason: Specified host is not a cluster node. Failed to connect to host vmhost2 Access denied or timeout expired. Check if you have local administrator privileges on computer '<hostname>'. Possible reasons: 1. Invalid credentials. 2. Specified host is not a Hyper-V server.

Cause

The situation is caused by the Microsoft Windows DCOM connections hardening. Shown below is Microsoft's timeline for deployment of this new hardening policy.

Solution

All Veeam products are ready for this DCOM change and use Packet Integrity DCOM authentication; the underlying Windows OS must be updated to support this change. To resolve these issues, ensure all Windows-based servers have installed the DCOM Hardening update. See the list at the bottom of this article: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). The updates listed on that page may have been rolled in to future updates, check Windows DCOM Server Security Feature Bypass CVE-2021-26414 for more information.   Notes: These updates may be listed as optional and may have been ignored by Windows or WSUS systems. In such a situation, the update must be deployed manually. This issue may affect older Windows operating system, but the update to resolve the issue may not be available without ESU. For environments where Veeam Backup & Replication was deployed on an older operating system no longer supported by the latest version of Veeam Backup & Replication (e.g., Server 2008 R2), please review: KB1803: How to Upgrade Legacy Veeam Backup Server

Additional Resources / Links

Share:

BugZero® Risk Score

What's this?

Coming soon

Status

Solved

cost-cta-background

Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.

Have you ever...

had your data corrupted from a

VMware

bug?

Search:

...