DCOM Security Update

June 8th 2021, Microsoft released a Windows Security Update KB5004442 in response to a recently discovered vulnerability affecting DCOM security (CVE-2021-26414). This vulnerability affects all current versions of Windows. However, while the vulnerability has been patched the update is turned off by default.

As this change to DCOM has far-reaching consequences for technologies built on top of DCOM (i.e. OPC Classic - DA, HDA, Alarm & Events) Microsoft are phasing the in over Q1 and Q2 of 2022 and by the end of Q2 this new DCOM behaviour will be enforced. Until then, it is possible to turn the effects of this update on and off via the System Registry.

 

Microsoft’s current Timeline is as follows -

8 June 2021

Hardening changes are disabled by default but with the ability to enable them using a registry key.

June 2022 (Originally Q1 2022)

Hardening changes are enabled by default but with the ability to disable them using a registry key.

March 2023 (Originally Q2 2022)

Hardening changes are enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

 

Registry Keys

The following Registry key can be used to alter the behaviour until the Security update is enforced in Q2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat

RequireIntegrityActivationAuthenticationLevel

Please refer to Microsoft’s Support document here, Note: Changes to this setting requires a reboot to take effect.

Third-Party Patches

DCS, Data Historians and other OPC Client/Server Vendors are actively working on patches for affected products (some are already available).

Check with them directly to see if: -

  • you are using an affected systems/software (DCS, Data Historian, OPC Classic Server / Clients)
  • the version you are running will be patched, current indications are that vendors will only be releasing patches for currently supported versions.

You may need to upgrade versions to access the patches or implement workarounds

 

Need Help?

Need any assistance assessing your level of risk to this Security Update and the impact it may have on your OPC Classic landscape, Operations, Data Collection, Data Processing. Get in touch -

Email: [email protected]

Phone: +44 (0)800 4118411

 

- Industrial Thinking Support Team

 

Updated 21-Feb-2022 with an updated timeline from Microsoft (see https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c for more details)