Back

Topic

[KB1151]Windows Updates to enforce DCOM hardening – KB5004442

Tags: OPC, Windows update

System
3 years ago
By BL
Options
Print
Applies to:

PcVue and FrontVue – Multiple versions
Summary:

Microsoft has started rolling out Windows updates that could affect users of the OPC Classic technology, software components and products relying on DCOM for remote process communication.

These Windows updates are designed to harden DCOM security by raising the bar for the minimum authentication level to Packet integrity. This is part of a Microsoft effort to fix vulnerabilities described in CVE-2021-26414.
Once implemented, this change causes OPC connection failures in a variety of scenarios.

Details about the change are provided by Microsoft in KB5004442 and in an article on the tech community blog.

We invite users of OPC Classic products to read this article and monitor the coming change closely.

Last update: October 20th 2022
Details:

Timeline

Microsoft has a 4-step plan:

  • Step 1: A first update was rolled out in June 2021. It introduced the hardening and made it possible to enable it for testing software applications (see below). It was not enabled by default and did not have a direct consequence.
  • Step 2: A second update rolled out on June 14th 2022 made it possible to programmatically enable the requirements of Packet Integrity (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) on all DCOM servers.
  • Step 3: A third update planned to be rolled out on November 8th 2022(*) will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY if it’s below Packet Integrity.
  • Step 4: A fourth update will make the hardening mandatory. Microsoft announces a rollout on March 14th 2023(*).

(*) Dates are indicative and as announced by Microsoft at the time of writing this article (last update as of October 20th 2022).

The Windows updates discussed in this article are categorized as security updates and apply to many Windows versions down to Windows 7 SP1 and Windows Server 2008.

Recommendations

OPC vendors are taking advantage of the step 1 to test their products and prepare fixes.

Users are recommended to take advantage of steps 1 and 2 to ensure any OPC component they depend on are compatible with the DCOM hardening change, and apply fixes if necessary.

If incompatible OPC components are still in place when Microsoft rolls-out the 2nd update, users shall disable the hardening.

The 3rd update will break DCOM communication if incompatible OPC components are still in place (unless they use anonymous authentication).

If incompatible OPC components are still in place when Microsoft rolls-out the 4th update, users shall make sure this 4th update is not installed and take appropriate mitigation measures.

Products affected by the change

PcVue

Used either as an OPC client or as an OPC server, recent versions of PcVue are not affected by the change.
DCOM components in PcVue do support the hardening change neatly, and there is no need for a fix.

Versions 11.2, 12 and 15 are validated, there is no plan to validate older versions of PcVue.

FrontVue

FrontVue 15 is compatible with the hardening change starting with Maintenance Release 15.2.2.
FrontVue 12 is compatible with the hardening change starting with Maintenance Release 12.0.7.
FrontVue 11.2 is compatible with the hardening change starting with the Update 11.2.06101.
Earlier releases of FrontVue are not compatible with the hardening change.

We recommend FrontVue users to install a compatible Maintenance Release so that the hardening change can be enforced.

If such an update of FrontVue is not possible, users have no choice but to disable the hardening change. If enabled on a system running an incompatible release, FrontVue cannot connect to any OPC server (including PcVue in FrontVue/PcVue architectures).

3rd party OPC products

Even if PcVue is compatible with the DCOM hardening change, users of PcVue may be using OPC components from 3rd parties that are not compatible with the coming change.
We recommend users to check with vendors of OPC products they use and make sure they are compatible. The hardening change is likely to affect OPC clients more than OPC servers.

How to test and troubleshoot potential issues

The 1st Windows update introduces the change and makes it possible to enable it manually via a registry key (RequireIntegrityActivationAuthenticationLevel).
Please refer to the Microsoft article KB5004442 for more information about how to enable/disable the hardening change.

Microsoft has also introduced new error events designed to help troubleshooting.
They are located in the System log and associated to the Source DistributedCOM.
The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. You can trace to the client device from the server-side event log and use client-side event logs to find the application.

Please refer to the Microsoft article KB5004442 for more information about how to use these new events for diagnostic purpose.

Pay attention to the fact that these new events are only available on a subset of the Windows versions affected by the change.

Server event:

Event ID Message
10036 “The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.”
(%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address)

Client events:

Event ID Message
10037 “Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.”
10038 “Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.”
(%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level)

Created on: 01 Mar 2022 Last update: 04 Sep 2024