Concerned Product Line
Environment
Windows
Description of the problem
This note is to announce an important break in OFS architectures. Due to cyber security issues, Microsoft released a security patch identified KB5004442, intended to harden DCOM and RPC technologies. Technologies which may be used by OPC DA in some cases.
More technical information about this patch can be found at the following URL:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
Microsoft planned the deployment of this patch in 3 steps:
Step 1: On going. Modification is implemented in Windows, but inoperative by default. It is possible to enable it by a register key
Step 2: June 2022. Modification is implemented in Windows and enabled by default. It is still possible to disable it using a register key
Step 3: March 2023. Modification is implemented, operative, without any possibility to deactivate it
Due to high complexity in configuration, and poor cyber security, we did not recommend these remote architectures anymore.
For the customers who relied on such remote architectures (DCOM), after installing and enabling this patch, OFS, do not communicate any more with remote clients
Notes:
Remote architectures are when OFS server is running on a different machine than the SCADA or the OPC DA client.
Local architectures (OFS server is installed on the same machine as the SCADA / OPC DA client) are not concerned by this problem.
Proposed work around
At this moment, there is no way to fix this issue. For customers who would face it, there are 2 possibilities:
Whenever possible, to adapt the architecture by using COM instead of DCOM. This means to install OFS servers on the same machine as OPC DA clients
or
To replace OFS by OPC UA Server Expert, to rely on OPC UA protocol
TLXCDLUOFS36 | OPC DATA SERVER LARGE 1 STATION DVD |
TLXCDLTOFS36 | OPC DATA SERVER LARGE 10 STATIONS DVD |
TLXCDLFOFS36 | OPC DATA SERVER LARGE 200 STATIONS DVD |
TLXCDUPDLOFS | OPC DATA SERVER LARGE UPDATE DVD |
TLXCDSUOFS36 | OPC DATA SERVER SMALL 1 STATION DVD |
TLXCDSTOFS36 | OPC DATA SERVER SMALL 10 STATIONS DVD |
TLXCDUPDSOFS | OPC DATA SERVER SMALL UPDATE DVD |
Environment
Windows
Description of the problem
This note is to announce an important break in OFS architectures. Due to cyber security issues, Microsoft released a security patch identified KB5004442, intended to harden DCOM and RPC technologies. Technologies which may be used by OPC DA in some cases.
More technical information about this patch can be found at the following URL:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
Microsoft planned the deployment of this patch in 3 steps:
Step 1: On going. Modification is implemented in Windows, but inoperative by default. It is possible to enable it by a register key
Step 2: June 2022. Modification is implemented in Windows and enabled by default. It is still possible to disable it using a register key
Step 3: March 2023. Modification is implemented, operative, without any possibility to deactivate it
Due to high complexity in configuration, and poor cyber security, we did not recommend these remote architectures anymore.
For the customers who relied on such remote architectures (DCOM), after installing and enabling this patch, OFS, do not communicate any more with remote clients
Notes:
Remote architectures are when OFS server is running on a different machine than the SCADA or the OPC DA client.
Local architectures (OFS server is installed on the same machine as the SCADA / OPC DA client) are not concerned by this problem.
Proposed work around
At this moment, there is no way to fix this issue. For customers who would face it, there are 2 possibilities:
Whenever possible, to adapt the architecture by using COM instead of DCOM. This means to install OFS servers on the same machine as OPC DA clients
or
To replace OFS by OPC UA Server Expert, to rely on OPC UA protocol