DCOM going away

[doctord]

Has anyone here heard that Windows is doing away with DCOM for OPC DA comms?
Not an issue on any of our new systems but could be a big issue for some of our older systems.

 

[AustralIan]

I think there is a 'remote potato 0' vulerability in DCOM that Microsoft won't patch, so it makes sense to disable DCOM for security reasons.


I am not sure if there is a valid configuration of DCOM which is not effected by remote potato 0.


I haven't heard though, anything about Microsoft talking about removing DCOM entirely.

 

[Mispeld]

There is a Microsoft patch for a DCOM vulnerability. The patch can be bypassed via the registry through June 2022, per this Microsoft statement:

KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

Due to currently unresolved issues with Rockwell Software and the Microsoft patch, the "hardening" must be disabled until Rockwell issues patches. Presumably before June.

Ref: Product Notification 2022-01-001 - Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (MS KB5004442)

Access level: Everyone

 

[lfe]

Time to upgrade to OPC UA

 

[harryting]

DCOM is going away for years and years. However, it doesn't mean you can make it work by doing some voodoo magic. The problem is that a lot of smaller OPC maker have no plan to convert to UA. You can always buy OPC tunneller that convert whatever you have to UA on both side.

 

[JesperMP]

DCOM was always an awful cludge. Even without this latest security issue it is better to find other solutions.

There are also OPC DA to DA tunnellers in case you have OPC DA clients.

 

[surferb]

Reviving this as a reminder. Bottom line, no way to keep MS operating systems up to date and allow DCOM to run after March 14, 2023 (in case you're been running the registry key). My guess is that most systems still run DCOM (post June 2022) simply don't update their systems.

Flexware has a great article explaining it.

Or read MS KB 5004442.

 

[AustralIan]

That's not entirely true - DCOM is still fine. DCOM with the older style of authentication is not fine.

"The patch raises the minimum DCOM authentication level that is permitted when establishing a DCOM connection between two computers."
https://rockwellautomation.custhelp...cation-level-for-compatibility-with-microsoft

So I still try to find the list of versions which allow the use of the stricter authentication protocols.

 

[surferb]

Great point! Thank you for the clarification.

Authentication less than “ RPC_C_AUTHN_LEVEL_PKT_INTEGRITY” it no longer permissible. Even hardened, DCOM use is still a high risk practice. Other methods should be preferred if possible. If not - segmentation & monitoring.

One big issue, DCOM by default (and I believe most implementations) require the dynamic use of ports 1024-65535. Not firewall friendly, to say the least.

 

[ynpmoose]

That's not entirely true - DCOM is still fine. DCOM with the older style of authentication is not fine.

"The patch raises the minimum DCOM authentication level that is permitted when establishing a DCOM connection between two computers."
https://rockwellautomation.custhelp...cation-level-for-compatibility-with-microsoft

So I still try to find the list of versions which allow the use of the stricter authentication protocols.

Anyone using OPC DA needs to reach out to the relevant software vendors to see if they have patches available. Otherwise, you're going to need to suspend MS updates in March until you can find an alternate solution.

 

[surferb]

^^^This :site:

Anyone using OPC DA needs to reach out to the relevant software vendors to see if they have patches available. Otherwise, you're going to need to suspend MS updates in March until you can find an alternate solution.

 

[danw]

Softing app note on upcoming Microsoft Windows DCOM update


https://industrial.softing.com/fileadmin/sof-files/pdf/ia/support/DCOM-Sicherheitspatch_EN.pdf