Skip to content
Ask A Question
  • There are no suggestions because the search field is empty.

OPC Data Client Applications and DCOM Hardening (CVE-2021-26414, KB5004442)

This FAQ discusses how OPC Data Client is affected by the changes made by Windows updates that are described in Microsoft's KB5004442 advisory regarding Windows Updates that have been rolled out to affected operating systems by Microsoft since June 8, 2021 to address vulnerabilities in DCOM described in CVE-2021-26414.  Due to upcoming enforcement actions by Microsoft, users may need to take actions described in this FAQ. This FAQ is a supplement to our overall detailed technical FAQ regarding DCOM Hardening which contains information that is common to all products affected by DCOM hardening.
 
Because OPC Data Client is a developer toolkit, and every developer's application, overall system architecture and use case is different, each developer will need to make their own decisions about what changes they may need to make. 
 
Audience: This article is written for developers and assumes you have development experience. If you have found this FAQ, are having problems with DCOM you believe are caused by the Windows updates discussed in Microsoft's KB5004442 advisory, and are an end user with a custom software application written using the OPC Data Client Toolkit, please contact the provider of your application. Because changes/fixes to the custom application have to be made in the source code of the application, we would need to work with someone who has that access and a valid support & maintenance agreement for the OPC Data Client toolkit. If you are not a Software Toolbox OPC Data Client toolkit developer customer, we are not able to provide any support to you for this FAQ.

Specific Product Editions/Versions or Use Cases Affected and Not Affected

All versions of the OPC Data Client toolkit are affected if the user's application is connecting to an OPC Classic DA or A&E server over a network.  Many users will NOT be affected, as described below.
Affected:
  • Because of the nature of this product, we STRONGLY RECOMMEND our developer users carefully review this FAQ, our general DCOM hardening FAQ, understand how your users are using your custom application and plan ahead. There are options that require code changes, and ones that do not, but require the addition of other software.
  • Because access to your source code would be required, our support team is not able to assist users of your custom written compiled application who are affected. We are empowering you as the developer with options to manage the risk of issues.  You are responsible for supporting the users of your compiled applications. 
Not Affected:
  • If you are NOT using OPC Classic DA or OPC A&E with the OPC Data Client toolkit, this FAQ does NOT apply to your application.
  • OPC UA client/server connections are not affected 
  • If your OPC Classic DA or OPC A&E client application always interacts with OPC Classic DA or OPC A&E Servers running on the SAME COMPUTER as your application, this may not apply to you but you should still review this FAQ unless you have chosen to not allow your users to connect to remote OPC servers and implemented limitations to that effect in your custom software. 

General Relevant Product information

 Is OPC UA available in this product as an alternative? Yes

  • OPC UA Server - no/not applicable as this is an OPC client development toolkit product. 

  • OPC UA Client - yes, in all OPC Data Client editions, though we highly recommend you use the Enterprise Edition if you are adding OPC UA to your application. Upgrades to current version and expanded functionality editions are available. Contact us for a quote.

Operating System Support Details - see the OPC Data Client Specifications FAQ

Respects Component Services Settings? It depends on version of toolkit in use and your application code. See Product Specific Details in this FAQ.

Uses Hard-Coded Co-Initialize security Calls? It depends on version of toolkit in use and your application code. See Product Specific Details in this FAQ.

DCOM Hardening Specific Updates Relevant and Available? OPC Data Client Version 2022.1 added specific features to help developers deal with DCOM hardening and were notified of it's availability. We always recommend running the most current version of the product and reserve the right to limit support for non-current software. 

Obtaining Current Product Versions - Users on active support & maintenance agreements are entitled to update at no additional cost. Current version is available on the OPC Data Client websiteContact us with your license details to check your support status and if necessary, obtain quote for reinstatement of support & maintenance

Product Specific Settings Recommendations

After assessing your application, if you believe your use case for the OPC Data Client will be affected, you have several choices. 
 
After June 14, 2022 and Before March 14, 2023 
You can use the registry entry that Microsoft has provided in KB5004442 to disable the change, but you MUST be aware this is a temporary fix and plan for a permanent fix before March 14, 2023. Our support team will not assist users of your application with making this change. You are responsible for supporting the users of your compiled applications using OPC Data Client. 
 
After March 14, 2023, you must be prepared to support your users with some option. Here are a few to consider. Ideally you are able to update your application, using your OPC Data Client Toolkit license that you have kept on active support & maintenance. However we have options for add on tools for developers unable to change their application. 
  1. Use the information in this FAQ and related resources we link to, to help you assess how you can improve your OPC Classic DA or OPC A&E client application, especially if you are using or can upgrade to OPC Data Client version 2022.1 or newer. There are also options for developers using prior versions of the toolkit.
  2. Change your application using OPC Data Client toolkit to use OPC UA generic data (For DA) or UA Alarms and Conditions (for A&E)
    1. All current OPC Data Client toolkit editions support basic OPC UA, but switching your application to support OPC UA and DA or OPC UA instead of DA would require code changes.
    2. The professional edition supports OPC UA Alarms & Conditions. Edition upgrades are possible, contact us if you need a quote. 
    3. If your OPC servers do not support OPC UA:
      1. If you need an OPC UA/DA gateway/convertor for DA servers that do not natively support OPC UA, the DataHub OPC Gateway is a robust solution for those OPC DA servers. 
      2. If you need an OPC UA A&C to OPC Classic A&E convertor, we can add the UA A&C and Classic A&E support to DataHub OPC Gateway as an option. Contact us for details.
  3. If you are unable to change your client application, but your OPC servers support OPC UA, you could put the DataHub OPC Gateway on your client machine, so that your client is talking to the gateway as a local OPC server, and then the gateway communicates via OPC UA to the servers.  We can add OPC A&C / OPC Classic A&E support to the Gateway. Contact us for details.
  4. If you cannot change your OPC client application, and you have OPC Classic DA and/or A&E Servers, then OPC tunneling using the DataHub Tunneler for OPC DA or A&E or both, would be an option.

Understanding OPC Data Client Configuration Settings Affecting DCOM settings

All OPC Classic client applications have a choice to make.
  • They can set DCOM security settings programmatically, or
  • They can allow their application to use settings in Windows Component Services DCOM Config to determine their security settings
After March 14, 2023, or after June 14, 2022 if you are not able to make the disabling registry entry, your client application MUST set or allow packet level integrity through one of the methods above. Any attempts to override that will fail and result in loss of communications between your custom application and target OPC Classic servers. On supported operating systems, you may know this from DCOM errors in Windows Event Logs shown in Microsoft's KB5004442 advisory. For example if you had set your authentication level set to None, that will fail once Microsoft enforces the changes to DCOM. 
Remember that if you make any changes to DCOM settings in Component Services, your MUST restart your custom application in order for it to know about the changes. If they make changes on the OPC Server side, the OPC server must also be restarted. This is the nature of DCOM settings because applications using DCOM can only get their security settings one time at startup. 
 
If you are using OPC Data Client Version 2022.1 or newer:
New settings were introduced to assist you in working with this Microsoft DCOM hardening change. One called ComManagement.Instance.Configuration.SecurityParameters.EnsureDataIntegrity, which is false by default for backwards compatibility, if set to true, will force compatibility with the Microsoft DCOM hardening update.

Our ability to help you with handling these Microsoft changes are subject to the explanations in these articles from our developer partner OPC Labs about COM Security Initialization and Guidance for project types and tools. When reading the articles the terms QuickOPC and OPC Data Client are interchangeable. 

 
 
If you are NOT using OPC Data Client Version 2022.1 or newer:
There is a property in the OPC Data Client called EasyDAClient.SharedParameters.MachineParameters.UseCustomSecurity that if set False, will allow the client application to use DCOM Config settings. 

If this is left at the default of True and not changed, you will have problems because the OPC Data Client code will attempt to override DCOM settings, which will fail after Microsoft enforces their change. You will need to consider one of the options we covered earlier in this FAQ.

 
 
If you would like to upgrade to OPC Data Client Toolkit Version 2022.1 or newer, contact us. Provide your license details, and if you have an active OPC Data Client Support & Maintenance Agreement, we can send you a license update. If not we will send a quote to upgrade and reinstate your support. 
Disclaimer: You are ultimately responsible to work with your IT/OT teams on handling the changes to your systems. Software Toolbox support cannot and will not make changes to customer systems for them. This information is provided for reference and is based on our best commercially reasonable efforts to gather, validate and aggregate this knowledge and is provided under and subject to our standard terms and conditions.