OptoOPC Server and the Microsoft DCOM hardening patch

kprickett · June 10, 2022, 12:24pm

Just wondering if the fine folks at Opto22 have checked to see if the Microsoft DCOM Hardening patch (CVE-2021-26414) will have any adverse affects to OptoOPCServer connectivity? I have been getting notifications from other vendors (Rockwell Automation especially) indicating issues with certain primary applications in their ecosystem not working correctly with the hardening patch activated. I suspect that the OPCServer is probably not widely used in the community, but for me it is fairly significant as this is the route we have been using for years to get Opto22 processor data into our PI Historian. Yes, there are more modern ways to do this, like with API calls and JSON parsing, but for us users that still have a large base of SNAP processors and I/O out there, OptoOPCServer is also still the best option for allowing multiple PACDisplay clients to connect to individual processors. I searched a little through the forums and didn’t see this question addressed previously, so I thought I would put it out there and see if this may be an issue waiting to bite me. Thanks in advance for any responses.

Beno · June 10, 2022, 5:18pm

Hi Kevin. Welcome to the Opto forums.

I am going to reach out to our software engineers and get back to you on this one…

kprickett · June 10, 2022, 6:12pm

Thanks Ben! I appreciate it.

LadyBNC · June 17, 2022, 6:51pm

Thank you Kevin for Bringing this up. OPC is integral to my system for similar reasons (multiple Display stations and Data dissemination). I look forward to good news on this one…Thanks Beno!

Beno · June 17, 2022, 10:56pm

Not much of an update, but since this topic seems to be on a few peoples minds… our engineers here said it took a little longer to setup the test environment, but that’s almost done. I believe the plan was to get everything running pre-patch, then apply the patch and test again.
Thanks for your patience.

Beno · July 29, 2022, 4:45pm

@kprickett and @LadyBNC
The initial in-house testing on this DCOM hardening change is complete.

The short version is that there are no code changes required to either OptoOPCServer or PAC Display, just some settings on the users computers need to be changed followed by a reboot.

The slightly longer version is that we found just how ‘old’ the OptoOPCServer users guide is and we need to update it for these new settings at the very least.

How urgent is this for those of you looking to apply this hardening patch?
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

kprickett · July 29, 2022, 7:44pm

Since Microsoft still allows the hardening patch to be bypassed by disabling a registry key (at least until March of 2023), I don’t view this as urgent at this point. If I find, at some point, that our OptoOPCServer installation has stopped working after my company pushes out some OS patches, I will have one of our Sys Admins disable the offending registry key on the affected PCs.

Thanks for digging into this and helping to alleviate my concern over it. Keep us apprised.

Just out of curiosity… are there any plans to update the OptoOPCServer to OPC-UA? I figure with the addition of the native OPC-UA server functionality into the groov EPIC there’s probably no plans, but it doesn’t hurt to ask, right? Thanks again!