Becolve Digital
Select Page

Microsoft DCOM Patches “Break” OPC DA Communications

As of June 2022, this patch increases the default security level required for DCOM communications.

David Soler
Solutions Manager
DataHubKepserverexOPC DA
Blog cover

Microsoft’s June cumulative updates include a security patch to limit the exposure of CVE-2021-26414 with CVSS of 4.3, where a potential attacker could bypass the security options implemented in DCOM. The patch is KB5004442.

As of June 2022, this patch increases the default security level required for DCOM communications. As a reminder, DCOM (Distributed Component Object Model) is a protocol used to expose the objects of an application to RPCs (Remote Procedure Calls), so that the different components of devices can communicate over the network.

data table

 

All applications that use the Windows API to establish DCOM connections between two devices are affected. An example: OPC-DA.

Classic OPC-DA uses DCOM communications to pass information between devices. The application of this patch, as of June 14, 2022, impacts all OPC-DA communication, as clients and servers must use the same DCOM authentication level.

 

I Solutions for OPC-DA communication

1. (Temporary until March 14, 2023) Disable the mitigation of the vulnerability implemented in KB5004442 by modifying the HKEY_LOCAL_MACHINE SOFTWAREMicrosoftOleAppCompat registry key.

2. Configure the DCOM authentication level to “Packet Integrity” or higher, both on the OPC server and on all clients.

 

For servers, the change is made at the Application level

server change process

For clients, the change is made at the “My Computer” level

Client change process My computer

On KepserverEX-based servers/clients, it must be configured to follow the DCOM configuration

  • KepserverEX: Settings > Runtime Options > Use DCOM configuration settings.
  • OPC Quick Client: Tools > Options > Use DCOM for remote security.
  • LinkMaster: Tools > Options > Runtime Options > Use DCOM configuration utility settings.

 

You can download the updated configuration guide

 

  1. Move the OPC-DA client and server to the same computer to avoid network communications and their authentication.
  2. Consider replacing the use of OPC-DA with OPC-UA, which does not require DCOM.
  3. “Tunnel” or “mask” OPC-DA communications between client and server. Logitek’s Communication Hub allows it to be done in different ways
  • Redirect OPC-DA traffic between 2 KepserverEX servers using OPC-UA as a transport medium.
  • Use DataHub synchronization so that an OPC-DA client can read (and write) to the server, even when it is behind a firewall without open ports (eliminating the exposure of the process network and reducing cybersecurity risks).
DataHubKepserverexOPC DA

Related articles