UPDATE: Microsoft DCOM Hardening Patches – How This Can Affect Your AVEVA Software & What You Need to Know

This is an update to the first post Industrial Software Solutions made on March 7, 2022 about Microsoft hardening patches. To see that post, click here.

On March 16 2022, AVEVA published an update to Tech Alert TA32813 (System Platform issues with Microsoft Update KB5004442 – DCOM Hardening). The Tech Alert identifies impacted products and known issues based on current testing results. It also provides suggested work arounds. Note that the existing work arounds will continue to be supported until the Microsoft Patch expected in March 2023, per their current timeline.

Research is ongoing. As more information becomes available regarding the impacts of Microsoft patches, AVEVA will continue to update TA32813 with the latest information. We recommend subscribing to this alert to be notified via email with any additional information provided by AVEVA.

Registered customers can subscribe directly via the GCS support site:

Background

DCOM is used for communication between the software components of networked devices. This includes OPC-DA servers and clients (like FS Gateway and connections to Kepware, etc) to control, secure, and authenticate data transactions. However, its security is inadequate for modern cybersecurity requirements – it is a common attack vector for hackers and malware and leaves these components vulnerable to attack.

In June 2021, Microsoft delivered a security update that included the ability to add a registry key that enables the hardening of DCOM as provided in KB5004442.

NOTE: AVEVA currently recommends leaving the registry setting in the disabled state. Read more below or in the linked alert.

These hardening patches from Microsoft will impact systems or solutions that utilize OPC-DA or Windows APIs to pass or acquire data or otherwise communicate with control systems (e.g., PLC programming software). While Microsoft has delayed the rollout of the next phase of these changes (see link to Microsoft article in the Note below), AVEVA continues to monitor Microsoft’s activities with their DCOM hardening plan and research impacts. Known Issues and Work Arounds regarding AVEVA products are outlined in TA32813. This alert will continue to be updated by AVEVA.

Link to Microsoft Article
Microsoft’s Current Patching Schedule on this Issue:

On June 14, 2022, hardening will be enabled by default, with the ability to disable via registry key.
Then on March 14, 2023, hardening changes enabled by default with no ability to disable them.

For your convenience, you can view a transcription of the Tech Alert below:

System Platform issues with Microsoft Update KB5004442 – DCOM Hardening

Affected versions

  • System Platform 2020 R2 & R2 SP1
  • System Platform 2017 U3 SP1 & U3 SP1 P01
  • System Platform 2017 U2
  • System Platform 2014 R2 SP1 P02
  • OI Gateway and FS Gateway
  • AVEVA Enterprise Data Management OPC Real-Time Service (eDNA RTS)
  • AVEVA Enterprise Data Management OPC Data Server DA/HDA
  • InduSoft Web Studio 2020 R2 and older

Situation

In June 2021, Microsoft delivered a security update that included the ability to add a registry key that enables the hardening of DCOM as provided in KB5004442. The key supports setting the key value to 1 (enable). While Microsoft has delayed the rollout of the next phase of these changes (see link to Microsoft article in the Note below), AVEVA continues to monitor Microsoft’s activities with their DCOM hardening plan. The monitoring activities Include evaluating the potential impact on AVEVA’s software portfolio.

NOTE: As noted below, AVEVA currently recommends leaving the registry setting in the disabled state.
Link to Microsoft Article

Known Issues

NOTE: The following issues are experienced only with the registry setting enabled. No issues are reported when the setting is disabled.

  • OI Gateway and FS Gateway OPC is unable to browse and connect to OPC data.
  • Browsing for OPC Server and items from one node to a remote OPC Server node fails. This includes browsing from an Application Server IDE on the GR node to a remote OI Server node that has Wonderware OI Servers installed. As well as Studio OPC DA Server and Studio OPC HDA Server as well as OPC DA 2.05 (legacy) and OPC XML/DA Clients.
    • Although browsing the OPC data fails, internal testing on previously-configured OPC data flows shows that they are not disrupted.
    • Local browsing from IDE in the OPC Client Object to a locally installed OI or OPC Server will continue to work fine.
  • Historian Server remote administration from within the SMC does not work.
    • The work around is to RDP to machine on which Historian Server is installed and administer it locally.
  • AVEVA Enterprise Data Management OPC Real-Time Service fails to connect to a remote OPC DA server.
  • OPC clients fail to connect to AVEVA Enterprise Data Management OPC Data Server DA/HDA.

Solution / Workaround

  1. Install Cumulative Updates/Monthly Rollup Updates from September 2021 or later on all computers (KB5004442 is included).
  2. Disable the DCOM hardening registry key. A reboot is required to apply the registry update. Link to Microsoft Article

NOTE: As always, AVEVA highly recommends thorough testing of all system updates or KBs in a non-production environment prior to applying to your production environment.

Preferred Workaround Options for the AVEVA Enterprise Data Management related products:

  • AVEVA Enterprise Data Management OPC Real-Time Service: Deploy locally on the OPC server and use data bridging or use AVEVA OI Gateway.
  • AVEVA Enterprise Data Management OPC Data Server: Deploy locally on the same system as the OPC client.
    • Use data bridging with AVEVA Enterprise Data Management OPC Real-Time Service.

NOTE: AVEVA continues testing and the information in this Tech Alert is subject to change. Subscribe to this Tech Alert to be notified of future changes.

Registry details

During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: “RequireIntegrityActivationAuthenticationLevel”
Type: dword
Value Data: default = not defined or 0x00000000 means disabled. 0x00000001 = enabled.

Set to 0 for Disabled (default prior to Jun 2022 after which time may be enabled by default but with the ability to disable them using a registry key.)

Registry Setting Notes:

  • You must provide Value Data in hexadecimal format.
  • Enabling the registry key above will make RPC servers enforce an Authentication-Level of PC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher.
  • Reminder: You must restart your device after setting this registry key for it to take effect.

Additional Information

This article will be updated again in the weeks ahead as research is completed. Please continue testing the setting on your systems in non-production environments only.