« All blog posts

Windows DCOM Server Security Feature Bypass

13.06.2022


UPDATE 21.06.2022: OPC Classic Client has now been fixed as well.

Microsoft has found a vulnerability (KB5004442, CVE-2021-26414) in DCOM and have decided to enforce hardening changes that will be applied over the next Windows updates.

The change affects OPC classic applications that use remote connections and the OPC Foundation has also released a notification about the issue.

The timeline for the updates is as follows:

June 8, 2021 Hardening changes available, but disabled by default.
June 14, 2022 Hardening changes will be enabled by default in Windows updates. You can still disable the changes.
March 14, 2023 Hardening changes will be enforced in Windows updates.

The changes will affect usage of OPC classic client applications that connect to OPC classic servers running in another computer (using Disctributed COM). Connections within the same computer are not affected (using COM).

The hardening will become effective, when Windows is updated in the server computer. As a result, client applications running in other computers will need to be updated.

Prosys OPC products affected

The hardening changes affect directly

Fixed products

Update to Prosys Sentrol is pending (see below for how to deal in the current version).

Overcoming the problems in your own products

Update to Sentrol applications

To enable connections to updated servers, OPC client applications built with Prosys Sentrol must be modified to initialize COM Security in the Project Source as follows:

program Xxx;

uses
  PsComUtils,
  ...

begin
  PsInitComSecurity(alPacketIntegrity, ilIdentify);
  ...

The change to the default initialization will be applied to the next release of Prosys Sentrol, after which the call above will be unnecessary in applications, since it will be made automatically by the library. At the moment, ComSecurity is initialized with alConnect level, which used to be enough to make remote connections.

Move to OPC UA

An alternative way to overcome the issue is to avoid remote DCOM connections between the OPC applications. Instead, you should consider moving the connections to use OPC UA, by applying OPC UA Gateway as a tunneler, for example.

Or, you should consider supporting OPC UA in your own applications, which is also possible with Prosys Sentrol.

Enabling and disabling the changes

The changes can be enabled and disabled (until March 14, 2023) using the following Windows Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\
RequireIntegrityActivationAuthenticationLevel (DWORD value)

The value of 1 means that the hardening is enabled and 0 means that it’s disabled.

Note that you have to restart the computer for the changes in the registry key to take effect.

Registry Key

The feature has already been made available in June 8, 2021, so if you have the latest updates in your Windows operating systems, you can try it out.

Testing

You should be able to see the effect, for example, by connecting remotely with Prosys OPC Client version 2.0 to Prosys OPC Simulation Server. If the hardening is disabled in the server and you have configured DCOM and firewall to enable connections, you should be able to see the list of servers and connect to the Simulation Server.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\
RequireIntegrityActivationAuthenticationLevel=0 (DWORD value)

(Reboot after change)

Registry Key

Make sure you have opened access to the OpcEnum service in the DCOM Configuration of the server computer. It must also run at least with ‘Connect’ Authentication Level. Alternatively, you can try to just connect to the server. If it is also installed in the client computer, you can use the ProgID, e.g. ‘Prosys.OPC.Simulation’; otherwise you will need to use the CLSID, e.g. ‘{EB3A5F8E-7938-464C-AEFA-898335B1E6B5}’ in the Server field.

Registry Key

When the hardening is enabled in the server, you should get an ‘Access denied’ error in the client application.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\
RequireIntegrityActivationAuthenticationLevel=1 (DWORD value)

(Reboot after change)

Registry Key

You can also enable logging of DCOM errors in the server computer to validate this. To do this, add the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\
CallFailureLoggingLevel=1 (DWORD Value)

After this, you should see the following error in the Event Viewer - Windows Logs-System (You can start it by typing ‘Event Viewer’ in the Start Menu):

Event Viewer (Click to open larger)

And finally, when you have an application that initializes COM Security properly, you should be able to connect again. Stay tuned, we are updating Prosys OPC Client shortly.

Jouni Aro

Jouni Aro

Chief Technology Officer

Email: jouni.aro@prosysopc.com

Expertise and responsibility areas: OPC & OPC UA product development, project work and customer support

Tags: OPC, DCOM, Security

comments powered by Disqus

About Prosys OPC Ltd

Prosys OPC is a leading provider of professional OPC software and services with over 20 years of experience in the field. OPC and OPC UA (Unified Architecture) are communications standards used especially by industrial and high-tech companies.

Read more about us »

Newest blog posts

Windows DCOM Server Security Feature Bypass

How to address the hardening changes that will be enforced to Windows DCOM Security in your applications.

OPC UA and Open Industry 4.0

Learn how OPC UA and Open Industry 4.0 complement each other.

OPC UA PubSub to Cloud via MQTT Demo at Hannover Messe 2022

Combining Raspberry Pi 4 and Prosys SDK for Java for Cloud Demo

View all blog posts »

-->