Friday, December 10, 2021
Some OPC applications fail to establish communication after applying Microsoft patch KB5004442 and CVE-2021-26414. This document provides repair instructions for end-users and programmers.
Some (not all) OPC applications will be unable to establish remote communication after applying the above patch. This patch does NOT affect local communication, but remote communication will fail.
Microsoft increased DCOM’s necessary security level. Consequently, applications using static DCOM security settings (in their programming source code) may be affected. Specifically, applications using “Authentication Level” of None, Connect, Call, and Packet will fail. Similarly, applications using “Authentication Level” of Default, Packet Integrity, and Packet Privacy will be unaffected.
Changing “Authentication Level” using DCOMCNFG and even changing Windows Registry settings will NOT help, because these applications over-ride system settings in their source code. Microsoft is trying to end this poor programming practice because it risks communication security without user knowledge.
In general, end-users have three options. Recall this update does not affect local OPC communication. Therefore, the solution entails using a third-party application (OPC Expert in this case) to properly handle remote secure OPC communication. Solutions follow below.
Use this configuration when OPC servers are unable to establish remote communication. Run OPC Expert on the same computer as the OPC server. OPC Expert establishes local communication with the OPC server (this communication is not affected by the patch). OPC Expert replicates all server functions to one or more remote OPC clients. Specific functionality to help in this case is as follows:
Enables servers to use local (COM) OPC connections (no DCOM)
Use this configuration when OPC client applications are unable to establish remote communication. Run OPC Expert on the same computer as the OPC client. OPC Expert establishes local communication with the OPC client (this communication is not affected by the patch). OPC Expert replicates all client functions to one or more remote OPC servers. Specific functionality to help in this case is as follows:
Use this configuration when both OPC client and server applications are unable to establish remote communication. Run OPC Expert on the same computer as the OPC client and server. OPC Expert establishes local communication with the OPC client and server (this communication is not affected by the patch). OPC Expert replicates all client and server functions. Specific functionality to help in this case is as follows:
Programmers can easily repair this by changing their call to “CoInitializeSecurity”. Microsoft provides an example in a page titled “Setting the Default Process Security Level Using C++” Specifically, programmers should use RPC_C_AUTHN_LEVEL_DEFAULT. Programmers should avoid using RPC_C_AUTHN_LEVEL_NONE, RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_CALL, RPC_C_AUTHN_LEVEL_PKT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, and RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
OPCTI is the global leader in OPC training for automation professionals, and is the largest OPC training company in the world. OPCTI offers hands-on training workshops in-person and online.
OPCTI is vendor-neutral, meaning that we will teach you how to establish and implement a robust and secure communication infrastructure, no matter what OPC products you use - the training that you receive from OPCTI can be immediately implemented at your workplace. Our progressive training will enable you to increase your efficiency, security, and productivity.
The Certified OPC Professional (COP) designation is only offered by OPCTI. The designation is awarded to those who have successfully completed our training, and who demonstrate proficiency with OPC technology, design architecture, and installations. The COP designation is endorsed by many OPC Foundation member companies.
OPCTI is an active member and a strong supporter of the OPC Foundation. Randy Kondor, President and Chief Instructor at OPCTI currently serves as the Vice President of Education at the OPC Foundation.
Visit our Training Schedule to see where OPCTI is currently offering training workshops, or contact us to find out more about private trainings for you and your team at your site.