Becolve Digital
Select Page

Microsoft DCOM Patches “Break” OPC DA Communications

All applications that use the Windows API to establish DCOM connections between two devices are affected.

Becolve Digital
Blog cover

broken black glass

In Microsoft’s cumulative updates of last June 2021, a security patch was included to limit the exposure of CVE-2021-26414 with CVSS of 4.3 where a potential attacker could bypass the security options implemented in DCOM. The patch is KB5004442.

This patch had a series of stages to facilitate the updating of all types of systems:

  • June 8, 2021, default patch disabled.
  • June 14, 2022, default patch enabled, but with the possibility of disabling it.
  • March 14, 2023, patch enabled and without the possibility of disabling it.

As of March 2023, this patch increases the level of security required for DCOM communications without the possibility of being disabled. Recall that DCOM (Distributed Component Object Model) is a protocol used to expose the objects of an application to RPCs (Remote Procedure Calls) and, in this way, the different components of devices can communicate over the network.

All applications that use the Windows API to establish DCOM connections between two devices are affected. An example: OPC-DA.

Classic OPC-DA uses DCOM communications to pass information between devices. The application of this patch, as of March 14, 2023, impacts all OPC-DA communication since clients and servers must use the same DCOM authentication level.

The connection between OPC DA servers and clients through a network requires DCOM. With the mandatory application of the Microsoft security patch KB5004442, only the two highest levels of DCOM authorization will be allowed. Any connection from OPC clients with lower security configurations will fail.

OPC-DA Graphic

Affected Products and Versions

  • System Platform 2020 R2 SP1 and later.
  • System Platform 2017 U3 SP1 P01 and later.
  • System Platform 2014 R2 SP1 P02.
  • OI Gateway and FS Gateway.
  • Edge 2020 R2 SP1 and later.
  • KEPServerEX 5.20.396 up to 6.12.

Solutions

In general, the best solution is to update the applications to their latest version. Not only to avoid being affected by the Microsoft KB5004442 patch, but also to guarantee the maximum level of security of your systems.

If it is not possible to update to the latest version available, please contact our technical support department and they will advise you on the best option for your specific case.

  • FSGateway (all versions) – Update to OI Gateway.
  • OI Gateway G-2.1 (v5.2 and earlier) – Update to a higher version.
  • OI Gateway G-3.0 to 2020 R3 – Consult appropriate hotfix for the version.
  • OI Gateway 2023- Compatible with KB5004442 update

In a generic way, if we talk about communications through OPC DA, we can consider the following solutions:

  1. Move the OPC DA client and server to the same computer to avoid network communications and their authentication.
  2. Configure the authentication level of DCOM both on the OPC server and on all clients.
  3. Replace the use of OPC DA with OPC UA, which does not require DCOM.
  4. Perform a “tunnel” of OPC DA communications between client and server.
  • Redirect OPC-DA traffic between 2 KepserverEX servers using OPC-UA as a means of transport.
  • Use DataHub synchronization so that an OPC-DA client can read (and write) to the server, even when it is behind a Firewall without open ports (eliminating the exposure of the process network and reducing cybersecurity risks).

Don’t know how to apply any of these points? Or, even worse, don’t you even know where you are? Don’t worry, at Becolve Digital we are clear on how to help you, get in touch with us and we will study your particular case.

Sign up for the webinar!
Contact Becolve Digital

Related articles