Microsoft DCOM Hardening Patches – How This Can Affect Your AVEVA Software & What You Need to Know
AVEVA is actively researching the impacts of upcoming patches on its products. They are aware of Microsoft’s latest timeline and we expect to get an update from them in the near future. Note that Microsoft pushed the timeline and the next patch is not expected until June. The latest information can be found in Tech Alert TA32813. We recommend subscribing to this alert to be notified via email of the latest information from AVEVA.
Registered customers can subscribe directly via the GCS support site:
Background:
DCOM is used for communication between the software components of networked devices. This includes OPC-DA servers and clients (like FS Gateway and connections to Kepware, etc) to control, secure, and authenticate data transactions. However, its security is inadequate for modern cybersecurity requirements – it is a common attack vector for hackers and malware and leaves these components vulnerable to attack.
Patches from Microsoft will impact systems or solutions that utilize OPC-DA or Windows APIs to pass or acquire data or otherwise communicate with control systems (e.g., PLC programming software).
In June 2021, Microsoft delivered a security update that included the ability to add a registry key to enable the hardening of DCOM as provided in KB5004442 by setting the key to 1 (enable). NOTE: AVEVA currently recommends setting the registry setting to the enabled state. (per the current Tech Alert)
Upcoming Patches:
On the 14th June, 2022, this value will be enabled by default, with the ability to disable via registry key.
Then on March 14, 2023, it will be ON by default with the ability to disable removed.
For your convenience, you can view a transcription of the Tech Alert below:
System Platform issue with Microsoft Update KB5004442
Affected versions
- System Platform 2020 R2
- System Platform 2020 R2 SP1
- System Platform 2014 R2 SP1 P02
Situation
In June 2021, Microsoft delivered a security update that included the ability to add a registry key to enable the hardening of DCOM as provided in KB5004442 by setting the key to 1 (enable).
NOTE: As note below, AVEVA currently recommends leaving the registry setting in the disabled state.
Link to Microsoft Article
Known Issues
NOTE: Issues are experienced only with the registry setting enabled. No issues are encountered with the setting disabled.
- OI Gateway OPC is unable to browse and connect to Matrikon OPC.
- Browsing for OPC Server and items from one node to a remote OPC Server node fails. This includes browsing from an Application Server IDE on the GR node to a remote OI Server node that has Wonderware OI Servers installed.
NOTE: Although browsing the OPC data fails, internal testing on previously-configured OPC data flows shows that they are not disrupted.
NOTE: Local browsing from IDE in the OPC Client Object to a locally installed OI or OPC Server will continue to work fine.
- Application Server remote deployment may fail (deployment conducted from an IDE remote to the GR Node) with the Jun- Jul 2021 Microsoft Updates.
NOTE: This issue is resolved with Aug 2021 (and later) Microsoft Updates.
Solution / Workaround
1. Install KB5004442 on all computers.
2. Disable the DCOM hardening registry key. A reboot is required to apply the update to the registry.
NOTE: As always AVEVA highly recommends thorough testing of all system updates or KBs in a non-production environment prior to applying to your production environment.
- AVEVA Development continues testing and the information in this Tech Alert is subject to change. Subscribe to this Tech Alert to be notified of future changes.
Registry details
During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:
Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: “RequireIntegrityActivationAuthenticationLevel”
Type: dword
Value Data: default = not defined or 0x00000000 means disabled. 0x00000001 = enabled.
Set to 0 for Disabled (default prior to Q1 2022 after which time may be enabled by default)
Notes:
- You must provide Value Data in hexadecimal format.
- Enabling the registry key above will make RPC servers enforce an Authentication-Level of PC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher.
- Reminder: You must restart your device after setting this registry key for it to take effect.