Tech Alert 220311 - MS KB500442 Windows DCOM Server Security Feature
This article from InSource discusses Microftsoft's KB5004442 Patch
- Author: Ted Fluehr
- Published: 03/11/2022
- Applies to: System Platform, OPC Communications and Thinmanager
InSource Tech Alert - 220311
MS KB5004442 - Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
Microsoft released patch KB5004442 to address a vulnerability described in CVE-2021-26414 . This MS patch increases the minimum authentication level required for DCOM communications. This will ultimately have an impact on DCOM communications with some AVEVA/Wonderware products along with ThinManager installations.
Installing this MS patch can cause issues with the following products.
- System Platform/Applications Server 2020 R2 SP1 and older – Deployment issues.
- OPC-DA Communications (Potentially all versions) – Browsing issues.
- AVEVA Edge 2020 R2 SP1 and older.
- Indusoft Web Studio 2020 R2 and older.
- ThinManager – Communications between ThinManager Server and a remote client.
- The following is a link to AVEVA’s Tech Alert that discusses this issue for System Platform and OPC Communications. (TA000032813) (ta000032813a.pdf)
- ) The following is a link to AVEVA’s Tech Alert that discusses this issue for AVEVA Edge and Indusoft Web Studio. (TA000033204) (ta000033204.pdf)
This MS patch is being rolled out in 3 different phases as described below:
- June 8, 2021 - Hardening changes are disabled by default but with the ability to enable them using a registry key. (See below)
a. If you install this MS patch and have not manually enabled the hardening, you should not see any adverse issues at this time.
b. We do not recommend you manually enable this hardening at this time via the registry.
- June 14, 2022 – Hardening changes are enabled by default but with the ability to disable them using a registry key. (See below)
a. If patches or Hot Fixes are available for AVEVA products or ThinManager, you should install the patch or HF.
- AVEVA is in the process of formulating a plan to support the June 14 release of this MS patch. Please subscribe to the AVEVA Tech Alert(s) to be notified of any updates and patch releases. (TA000032813) (ta000032813.pdf) (TA000033204) (ta000033204.pdf)
b. If an AVEVA/ThinManager Patch or HF is not available, then you should manually disable this hardening via the registry settings shown below.
- March 14, 2023 – Hardening changes are enabled by default with no ability to disable them.
a. AVEVA & ThinManager will have patches or HFs available to address this MS patch by this timeline for supported versions.
Registry setting to enable or disable the hardening changes
During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:
- Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
- Value Name: "RequireIntegrityActivationAuthenticationLevel"
- Type: dword
- Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled.
Note You must enter Value Data in hexadecimal format.
Important You must restart your device after setting this registry key for it to take effect.
Note Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.