"Access Denied" errors and applications with COM activation fail after installing July 2018 Security and Quality Rollup updates for .NET Framework

Applies to: .NET Framework

Introduction


Applications that rely on .NET Framework to initialize a COM component and that run with restricted permissions may fail to start or run correctly after you install the July 2018 Security and Quality Rollup updates for .NET Framework.

Microsoft .NET Framework runtime uses the process token to determine whether the process is running within an elevated context. These system calls can fail if the required process inspection permissions are not present. This causes an “access denied" error.

Symptoms


After you install any of the July 2018 .NET Framework Security Updates, a COM component fails to load because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors. The most common failure signature is the following:

Exception type: System.UnauthorizedAccessException

Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

SharePoint

  • When users browse to a SharePoint site, they may see the following HTTP 403 message: "The Web Site declined to show this webpage" HTTP 403.
  • The SharePoint ULS Logs will contain messages such as the following:

w3wp.exe (0x1894)         0x0B94  SharePoint Foundation  General 0000       High                UnauthorizedAccessException for the request. 403 Forbidden will be returned. Error=An error occurred creating the configuration section handler for system.serviceModel/extensions: Could not load file or assembly <AssemblySignature>  or one of its dependencies. Access is denied. (C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config line 180)  

 w3wp.exe (0x1894)         0x0B94  SharePoint Foundation  General b6p2      VerboseEx                Sending HTTP response 403:403 FORBIDDEN.    

w3wp.exe (0x1894)         0x0B94  SharePoint Foundation  General 8nca       Verbose                Application error when access /, Error=Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))      

  • When crawling a people content source, the request may fail and log the following entry in the SharePoint ULS Log:

mssearch.exe (0x118C) 0x203C SharePoint Server Search Crawler:Gatherer Plugin cd11 Warning The start address sps3s://<URLtoSite> cannot be crawled.  Context: Application 'Search_Service_Application', Catalog 'Portal_Content'  Details:  Class not registered   (0x80040154)

When the error occurs, a message that resembles the following is logged in the SharePoint Crawl logs:


sps3s://<URLtoSite> 
A component required for crawling this type of content is not registered with this application server. View the event logs for more information. (SearchID = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)

BizTalk Server Administration Console

  • BizTalk Server Administration Console fails to start correctly and returns the following errors:

An internal failure occurred for unknown reasons. (WinMgmt)

Program Location:

   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

   at System.Management.ManagementObject.Get()

   at Microsoft.BizTalk.SnapIn.Framework.WmiProvider.SelectInstance

IIS with Classic ASP

  • A Hosted Classic ASP calling CreateObject for .NET COM objects may generate an error message that resembles the following:

    ActiveX component can't create object

.NET application that uses impersonation

  • A .NET application that creates an instance of a .NET COM application within an impersonation context may generate an error message that resembles the following:

    0x80040154 (REGDB_E_CLASSNOTREG)

Resolution


To resolve these issues, apply the August 2018 Security and Quality Rollups or the Security Only updates applicable to your operating system and .NET Framework installed. For more information, go to CVE-2018-8356 | .NET Framework Security Feature Bypass Vulnerability.

Workaround


To work around this issue, try any of the following methods.

Note Depending on the affected application and its code, the following workarounds may not be effective.

  • If you have advanced-level knowledge about how processes are started, run the process by using the PROCESS_QUERY_INFORMATION permission.
  • IIS Hosted Classic ASP calling CreateObject for .NET COM objects may receive an "ActiveX component can't create object" error:
    • If your web site uses Anonymous Authentication:
      • Change the Web Site Anonymous Authentication credentials to use the "Application pool identity."
    • If your site uses Basic Authentication or Windows Authentication:
      • Log in to the application one time as the application pool identity, then create an instance of the .NET COM component.
      • After that, other site users will be able to active the .NET COM component without the failure.
    • Alternatively, if you are using Windows Authentication, and you are accessing the website from the console of the Windows server on which the ASP application runs:
      • Creating an instance of the .NET COM component also resolves error for other site users.
  • A .NET application that creates an instance of .NET COM application within an Impersonation Context may generate a "0x80040154 (REGDB_E_CLASSNOTREG)" error message:
    • Create an instance of the .NET COM component before the impersonation context call.
      • Later impersonated create instance calls work as expected.
    • Run the .NET Application in the context of the impersonated user.
    • Avoid using Impersonation when creating the .NET COM object.
  • If UAC is disabled for the computer, re-enable it.
  • If the process fails to load Diasymreader.dll, run the following command for the assembly:

    ngen install <the failing assembly>

    For more information about ngen, see Ngen.exe (Native Image Generator).

Warning: The following workarounds may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend these workarounds. However, we are providing this information so that you can implement the workarounds at your own discretion. Use these workarounds at your own risk.

  • Add “NETWORK SERVICE” to the local Administrators group.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

 

Applies to

July 2018 .NET Framework Security Updates for .NET Framework 3.5, 4.0, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 on all applicable and supported versions of Windows