Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The following information below was provided by Kepware. Source: https://www.ptc.com/en/support/article/CS350729 Kepware.

...

Request

Cannot find any info on Microsoft DCOM Hardening effects on Kepware and OPC DA. Are there patches or recommended mitigation?

Document - CS350729

"Unable to establish OPC DA communication after installing Microsoft DCOM Hardening patches (CVE-2021-26414) with PTC Kepware Products" Modified: 07-Jun-2022

Applies To

  • KEPServerEX 5.20.396.0 to 6.11.718.0

  • ThingWorx Kepware Server 8.0 to 6.11.718.0

Description

  • Will Microsoft's phased rollout of tightened DCOM security impact KEPServerEX?

  • Effect of the Microsoft DCOM update on KEPServerEX communications

  • Will the DCOM updates impact OPC UA/DA connections or any other protocols?

Cause

This notice informs you of a potential anomaly that exists with PTC - Kepware® products that will be unable to establish proper DCOM connection after installing Microsoft® DCOM Hardening patch to address CVE-2021-26414 as described in MS KB5004442 - Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).

Microsoft is releasing multiple Windows cumulative updates to address CVE-2021-26414. CVE-2021-26414 lists the individual patches. The Microsoft patches address a vulnerability in DCOM. The Microsoft patches increase the minimum authentication level used when establishing DCOM connections. The affected Kepware® products use OPC-DA or are using Windows® APIs to establish DCOM connections between two computers.

Classic OPC-DA utilizes DCOM communications to pass information between workstations. Kepware connectivity applications include an OPC-DA client interface that enables many of them to exchange data with third-party OPC-DA servers. Similarly, KEPServerEX, ThingWorx Kepware Server, OPC Aggregator and LinkMaster function as an OPC-DA server. The DCOM authentication level elevation impacts all OPC-DA communications from these products and any third-party OPC-DA clients and servers running on different workstations (Note OPC-DA communication within one workstation or OPC UA communication are not affected).

Resolution

General Information:

  • OPC-DA Clients and Servers must utilize

...

  • the same DCOM authentication level. Once the Kepware software DCOM authentication level is changed, the DCOM authentication level used by third-party clients and servers on remote workstations must also be updated.

Temporary Workaround:

  • Following application of Microsoft’s June 14, 2022 Windows cumulative update, customers may use the temporary workaround Microsoft describes in in MS KB5004442 to to disable the Microsoft DCOM Hardening patch.

  • Important: This mitigation can only be employed until Microsoft releases the final patch update to address CVE-2021-26414 on March 14, 2023. After deploying Microsoft’s final update on or after March 14, 2023, it will will no longer be possible to disable Microsoft’s DCOM Hardening patch. After deploying Microsoft’s March 14, 2023 update, the only mitigation available is to reconfigure DCOM appropriately to establish communication to affected products.

  • For Classic OPC-DA communications consider moving clients and servers to operate on the same workstation or migrate the system to replace Classic OPC-DA with OPC UA.

Resolution:

  • Kepware products can be set to use the newly required (by Microsoft) DCOM security with the Windows DCOM configuration utility (DCOMCNFG.EXE).   No patch is required

    • The DCOM Authentication Authentication Level will need to be set to to Packet Level Integrity for both the Client and the Server

    For 
      • For Server

    applications 
      • applications this change will need to be made at

    the 
      • the Application level:

...

 

  • For Client Client applications this this change will need to be made at the the My Computer level:

 

...

  • Note: KEPServerEX may be the Client, Server or both

  • In addition to DCOM configuration, the following product settings must be enabled:

    • KEPServerEX; ThingWorx Kepware Server; OPC Aggregator:

      • Settings>Runtime Options> Options> Use DCOM configuration settings

    • OPC Quick Client:

      • Tools>Options>Use DCOM for remote security

    • LinkMaster:

      • Tools>Options>Runtime Options>Use DCOM configuration utility settings

  • Kepware's Remote OPC DA (DCOM) Configuration Guide has been updated to include the above settings

Other resolution options:

  • Move OPC-DA clients and servers to the same workstation

  • Migrate the system to replace Classic OPC-DA with OPC UA

Related Articles from Kepware

 impact from Microsoft DCOM enhanced security(KB5004442)

 Windows DCOM server security feature bypass impact on PTC ThingWorx Products