In the News

Explore Media Features on AUTOSOL and Our Team

October 12, 2022

Microsoft Update KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

A recent vulnerability (CVE-2021-26414) discovered in Windows allows for server security to be bypassed leaving the server vulnerable to malicious attack. Microsoft has since patched the vulnerability under update KB5004442. The update will be released in stages from June 2021 through March 2023, allowing users and vendors to add support for the update.

· Stage 1 – The hardening patch will be delivered through a Windows update, but it will be disabled. It can be manually enabled through a registry key. No changes will be required at this time.

· Stage 2 – A Windows update will be delivered which enables the patch. This will affect all computers that don’t have the patch manually disabled. With this update, the patch can still be manually disabled through the use of a registry key. Once the Windows update is installed and the patch is enabled the server is effectively hardened and the client/server OPC software must support the necessary level of authentication.

· Stage 3 – A Windows update will be delivered to permanently enable the patch. This will result in a completely hardened server with no ability to disable the patch outside of rolling back the update. Both the servers and clients must be compatible with the impending changes.

Details for the stages, registry keys, and how to identify if there are existing issues can be found in the details for KB5004442.

Microsoft Timeline

Update release1Behavior change
June 8, 2021Hardening changes disabled by default but with the ability to enable them using a registry key.

June 14, 2022Hardening changes enabled by default but with the ability to disable them using a registry key.

March 14, 2023Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

1 – Release dates are subject to changed based on the article listed in KB5004442.

What is affected?

Operating systems in active support by Microsoft will receive the DCOM hardening update. Once hardened, host machines will require an elevated method of authentication for RPC calls to function properly. Client and server applications that communicate remotely must both support the elevated authentication methods if the host end is hardened.

What isn’t affected?

· Clients that are local to the OPC server will not be affected by this regardless of the patches applied.

· Client/server connections that utilize OPC UA are not affected.

· Hardened client computers connecting to non-hardened application servers will not require any changes as the server end has not yet been hardened.

· Servers running versions of Windows that are unsupported by Microsoft. Examples are: Windows XP, Windows 7, Server 2008 and prior

What constitutes a client?

A client is defined as any application or service that will connect to the OPC server utilizing the DCOM interface. An example of a client connection would be an HMI connecting to an OPC server utilizing OPC DA, HDA, or OPC AE.

Identifying the Issue

Microsoft has added additional logging to the Windows Event log to help identify applications that are experiencing issues. These log messages are denoted in article KB5004442, but in general if a client fails to connect because of DCOM hardening then there will be messages that suggest either the server application or client application need to raise their authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher. Please reference the published article by Microsoft for more details on these messages.

Which AUTOSOL products are affected?

Products and software released by AUTOSOL that will be affected by these changes are listed below. Note that all versions of the products listed below will be affected.

· AUTOSOL Communication Manager (ACM)

· AUTOSOL Bridge

· AUTOSOL Enterprise Server (AES)

· DBClient

· AlarmManager

· Modbus Slave

· OPCMessenger

Which AUTOSOL products will be updated?

If the product is currently under active maintenance, then AUTOSOL will provide an update for the currently supported versions of that product. For example, ACM version 9.0.1, 9.0, 8.0, 8.1, and 8.2 are all under active support at the time of this post. The last hardening update from Microsoft is scheduled to be pushed out in March of 2023. Versions listed under Active Maintenance found here, ACM Software Maintenance Policy, will receive an update that supports the changes required by the hardening process. Per the table in the Maintenance Policy those versions would include 8.0.1 and newer.

ACM AUTOSOL Bridge AES DBClient AlarmManager MBSlave OPCMessenger
Active Maintenance Y Y N Y N N N
Planned Update for CVE-202102614 Y Y N Y N N N

What should I do if my product is not going to receive an update?

There are multiple factors to consider if your product is not going to receive an update. If your product is not set to receive an update, then it is out of active maintenance and has reached its End of Life. Alternate offerings may be available from AUTOSOL for products that have reached End of Life. Contact AUTOSOL Support at autosol.support@autosoln.com, 281-286-6017, to identify the best path forward.

What should I do if I’m currently using AES?

AUTOSOL Communication Manager, ACM, has been released for more than 10 years and is the successor to AES. AES has been out of support since 2010. AUTOSOL offers a migration path to ACM if you’re currently a user of AES. Contact AUTOSOL Support or visit https://autosoln.com/solutions/protocols-supported/ to validate the protocols in your system are listed as those supported by ACM. Contact your salesperson or call 281-286-6017 for more information regarding an upgrade path.

What should I do if my server is running an OS that is not currently supported by Microsoft?

No action is needed for hardening because the server will not get the hardening update.

· Note: This is not a recommended operating state and leaves your system susceptible to attack. AUTOSOL recommends migrating to a new host with up-to-date and supported software.

How do I know if my non-AUTOSOL client application is compatible with the hardening changes?

Contact the software vendor directly for more information. If the client application is remote to the host server and fails to function properly, look for messages regarding RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in the Windows Event log. Consult the KB5004442 article to determine if it’s a client or server application issue and then contact the necessary parties.

How do I get updates from AUTOSOL?

Releases for the affected products are not yet officially available, however temporary workarounds may exist depending on the software in question. Releases for the products slated to be updated will be uploaded to our download repository once available. Please contact AUTOSOL support at autosol.support@autosoln.com, or call 281-286-6017 for additional details.