Digitalization of previously disconnected data has been transformative for businesses across industries. With increased efficiency and unparalleled access to information, however, comes risk as opportunistic cybercriminals lurk, searching for exposures.
Concerns surrounding potential cyber-attacks and the demand for increased security were further emphasized when Microsoft publicly disclosed a medium-severity vulnerability with Distributed Component Object Model (DCOM) in June of 2021. The vulnerability, identified as CVE-2021-26414 or the Windows DCOM Server Security Feature Bypass, was revealed to be a common attack vector for cybercriminals.
DCOM is typically used for communication between software components of networked devices. This important protocol also includes OPC-DA servers and clients for controlling, securing, and authenticating data transactions such as Windows applications.
To address this issue, Microsoft has deployed two of three DCOM hardening patches. However, it is important to note that in the last release, scheduled for March 14, 2023, hardening changes will be enabled by default. Following that patch, you will not have the ability to disable them. Any compatibility issues with the hardening and applications in the environment must be resolved.
Patch management is an important tool for addressing advancements in cybersecurity. However, it doesn’t come without its challenges and these connectivity and compatibility issues are an example of that.
Products Impacted
Industrial Automation Software and Hardware Products are being impacted on the Plant Floor, including:
Rockwell Automation
With the DCOM hardening patch, products that use DCOM for connectivity are unable to establish a proper DCOM connection. Products that are affected by this hardening patch use FactoryTalk, Services Platform, FactoryTalk Live Data, OPC-DA or Windows APIs to establish the DCOM connection. Directly affected products are ThinManager and indirectly affected products are Studio 5000 Logix Designer and FactoryTalk Product Management.
Siemens
SIMATIC PCS 7 products with versions V8.2, V9.0 and V9.1 are affected by the hardening patch. Products will need to be updated before the March 14th, 2023 Microsoft hardening patch is applied to resolve issues with compatibility. Siemens has released the following information regarding updates to resolve the compatibility issues: Open OS V9.1 pd1 (included in Open OS V9.1 SP1), Open OS V9.0 Upd2 (planned for Q1/2023) and Open OS V8 Upd2 (planned for Q1/2023). Siemens recommends to plan patch management of Siemens products and the Microsoft hardening patch individually to avoid incompatibility.
AVEVA
AVEVA is continuing to publish information to Tech Alert TA32813 related to the Microsoft DCOM patching. Currently, it is recommending to leave the registry setting in the disabled state. There are only issues when leaving the registry setting enabled, which disabled DCOM. Some of the impacts are:
- OI Gateway and FS Gateway OPC is unable to browse and connect to OPC data.
- Browsing for OPC Server and items from one node to a remote OPC Server node fails.
- Historian Server remote administration from within the SMC does not work.
- AVEVA Enterprise Data Management OPC Real-Time Service fails to connect to a remote OPC DA server.
- OPC clients fail to connect to AVEVA Enterprise Data Management OPC Data Server DA/HDA.
AVEVA recommends installing the security patches from Microsoft to date on all computers and to disable the DCOM registry key as described in Microsoft KB5004442.
"Patch management is an important tool for addressing advancements in cybersecurity. However, it doesn’t come without its challenges and these connectivity and compatibility issues are an example of that." - John Peck, Senior Security Engineer, Gray Solutions
Next Steps
- Evaluate all software used within your organization to determine if any products are affected by the Microsoft hardening patch in KB5004442.
- Plan and execute any necessary actions and testing to resolve compatibility issues with products prior to the release date of Microsoft’s final patch for CVE-2021-26414 on March 14th, 2023.
- Determine any mitigation steps necessary if any products cannot resolve the compatibility issues with the Microsoft hardening patch before March 14th, 2023.
