Friday, December 10, 2021
Some OPC applications fail to establish communication after applying Microsoft patch KB5004442 and CVE-2021-26414. This document provides repair instructions for end-users and programmers.
Some (not all) OPC applications will be unable to establish remote communication after applying the above patch. This patch does NOT affect local communication, but remote communication will fail.
Microsoft increased DCOM’s necessary security level. Consequently, applications using static DCOM security settings (in their programming source code) may be affected. Specifically, applications using “Authentication Level” of None, Connect, Call, and Packet will fail. Similarly, applications using “Authentication Level” of Default, Packet Integrity, and Packet Privacy will be unaffected.
Changing “Authentication Level” using DCOMCNFG and even changing Windows Registry settings will NOT help, because these applications over-ride system settings in their source code. Microsoft is trying to end this poor programming practice because it risks communication security without user knowledge.
In general, end-users have three options. Recall this update does not affect local OPC communication. Therefore, the solution entails using a third-party application (OPC Expert in this case) to properly handle remote secure OPC communication. Solutions follow below.
Use this configuration when OPC servers are unable to establish remote communication. Run OPC Expert on the same computer as the OPC server. OPC Expert establishes local communication with the OPC server (this communication is not affected by the patch). OPC Expert replicates all server functions to one or more remote OPC clients. Specific functionality to help in this case is as follows:
Enables servers to use local (COM) OPC connections (no DCOM)
Use this configuration when OPC client applications are unable to establish remote communication. Run OPC Expert on the same computer as the OPC client. OPC Expert establishes local communication with the OPC client (this communication is not affected by the patch). OPC Expert replicates all client functions to one or more remote OPC servers. Specific functionality to help in this case is as follows:
Use this configuration when both OPC client and server applications are unable to establish remote communication. Run OPC Expert on the same computer as the OPC client and server. OPC Expert establishes local communication with the OPC client and server (this communication is not affected by the patch). OPC Expert replicates all client and server functions. Specific functionality to help in this case is as follows:
Programmers can easily repair this by changing their call to “CoInitializeSecurity”. Microsoft provides an example in a page titled “Setting the Default Process Security Level Using C++” Specifically, programmers should use RPC_C_AUTHN_LEVEL_DEFAULT. Programmers should avoid using RPC_C_AUTHN_LEVEL_NONE, RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_CALL, RPC_C_AUTHN_LEVEL_PKT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, and RPC_C_AUTHN_LEVEL_PKT_PRIVACY.