Thanks a lot Armin for sharing this.
Effectively I received at least 2 support calls in past days where HDS was unable to link SV32
(COM Handle leak detected on HDS.LOG).
I think it can be related... no?

🙂

Ho yes, the HDS connection may eventually be impacted, too. I don't know...

I am currently checking with other sites if the problem also affects localhost scenarios or only remote ones.

Hello friends,

following this topic - I just received a mailing list from Matrikon about these changes in DCOM security.

In 2022, Microsoft will complete deployment of a Windows DCOM Security update which may disrupt OPC Classic architectures that rely on DCOM for their network communications. Not all OPC Classic systems will be affected, but OPC Classic users are strongly advised to review the information provided in this whitepaper to confirm whether their systems will be affected and to take timely, effective steps to prevent OPC Classic communication disruptions.

Attached to this mailing, there was an interesting (even if commercially oriented to sell Matrikon OPC Tunneller) whitepaper (see page 6) that I attach to this post - about:

◦ What the DCOM security changes are and what systems they apply to.
◦ The potential impact this DCOM security update will have on affected systems.
◦ Options for how to solve or mitigate potential connectivity issues

Hope it helps.

Hello,

Some informations from dev team.
"It is almost certain that modifications will be necessary in FrontVue, but also for PcVue as a service. But for the moment the fixes related to this vulnerability are not yet active by default in Windows.
There can therefore be no side effect before the second phase of deployment, scheduled for the first quarter of 2022, which will activate the update by default."
More information: https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

To confirm what Anthony wrote, the R&D will investigate and check what we need to do to accommodate the new behavior.
In the meantime, you can recommend users to deactivate the hardened behavior, as explained in the Microsoft KB article.
Extract:

Registry setting to enable or disable the hardening changes
During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:

• Path : HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleAppCompat
• Value Name: "RequireIntegrityActivationAuthenticationLevel"
• Type: dword
• Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default

to disabled. [/*]

Note You must enter Value Data in hexadecimal format. Important You must restart your device after setting this registry key for it to take effect.

We promised some news after thorough tests. Here we are.

The Windows updates are designed to harden DCOM security by raising the bar for the minimum authentication level. This is part of a Microsoft effort to fix vulnerabilities described in CVE-2021-26414.
More info here: Microsoft KB5004442

Microsoft has a 3-step plan:

• - Step 1: A first update was rolled out in June 2021. It introduces the hardening and makes it possible to activate it for testing software applications. It is not activated by default and had no direct consequence for users.
• - Step 2: A second update will be rolled out soon. It activates the hardening by default, but it will still be possible to deactivate it. Originally planned for March 2022, Microsoft now announces it for June 14th 2022.
• - Step 3: A third update will make the hardening mandatory. Users will have to make sure their systems are Ok before installing this 3rd update. Microsoft announces a rollout in March 2023.

In the last weeks, we have been testing the consequences of this DCOM hardening on our products.

PcVue: No consequence
All COM/DCOM components in PcVue do support the hardening change neatly, and there is no need for a fix.
Even if PcVue behaves itself, users of our products may be using OPC Classic components from 3rd parties (think OPC-DA servers or OPC-DA clients). Such 3rd party components may not be compatible with the coming DCOM hardening.
Action: We recommend users to check with vendors of OPC Classic products they use and make sure they are compatible. The hardening change is likely to affect pure OPC clients more than OPC servers.

FrontVue: Is not compatible with the hardening change
We are preparing a fix.
Action: FrontVue users should be warned not to activate the hardening change in production systems until a fix is available.
Once the hardening is activated, FrontVue cannot connect to any OPC server (including PcVue in FrontVue/PcVue architectures).

Next steps:

• - A KB article with explanations about this – Publication in the coming days
• - An emailing to products’ users will be prepared and sent – Planned for next week
• - An update of the KB article related to DCOM configuration recommendations
• - A patch for FrontVue

Just in case, Joël Girard and Anthony Chaverot can help you if need be.

Stay tuned and feel free to report here any trouble related to these updates.

Thank you

Benoît

The KB article with explanations and recommendations is published KB1151

Hi,

Just in case, Microsoft has announced an additionnal step in the rollout of updates.
On Nov 8th 2022, they will roll out an update that automatically raises authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY if it is below Packet Integrity.
The deadline for the final update is still March 2023.
I have updated the KB article to reflect the most recent announcements from Microsoft.
Regards

Benoît Lepeuple