Skip to content
Ask A Question
  • There are no suggestions because the search field is empty.

Cogent DataHub and DCOM Hardening (CVE-2021-26414, KB5004442)

This FAQ discusses how the Cogent DataHub ("DataHub" throughout this FAQ) is affected by the changes made by Windows updates that are described in Microsoft's KB5004442 advisory regarding Windows Updates that have been rolled out to affected operating systems by Microsoft since June 8, 2021 to address vulnerabilities in DCOM described in CVE-2021-26414.  Due to upcoming enforcement actions by Microsoft, users may need to take actions described in this FAQ. This FAQ is a supplement to our overall detailed technical FAQ regarding DCOM Hardening which contains information that is common to all products affected by DCOM hardening. You may also request our free detailed Remote OPC DA Classic (DCOM) Configuration Guide here with recommendations for DCOM setting configuration on OPC DA client and server machines where connections will be remote (client and server on separate machines).
Cogent DataHub is unique in that it supports many OPC standards on the client and server side, but also because it is also the solution referenced by our other DCOM hardening FAQs for replacing DCOM in situations where there is no other choice. It's OPC Gateway converts OPC DA to UA to change OPC Classic DA and A&E clients and servers to OPC UA.  DataHub's Secure Tunneling capabilities provide users with robust solutions to end their dependence on DCOM, implement better security, and handle complex networking scenarios involving DMZs & proxies like no other solution can. If MQTT is in your future and you want to convert OPC DA or UA to MQTT, the DataHub Smart MQTT SparkplugB client and broker capabilities provide a strong option.
 

Contents

  1. Am I Affected?
  2. Product-Specific Information
  3. Product-Specific Recommendations
  4. Alternative Solutions to using DCOM
  5. Disclaimer

Specific Product Editions/Versions or Use Cases Affected and Not Affected

Affected:
  • Any version of DataHub using OPC Classic DA or A&E client or server connections over a network, which by definition means you are using DCOM.  Many users will NOT be affected, as described below. 
Not Affected:
  • Any application where DataHub is installed on the same computer or virtual as ALL of the OPC Classic DA or A&E clients and servers it connects to
    • This includes applications where DataHub is being used for secure tunneling to eliminate the use of DCOM. 
  • Any application that is using only OPC UA
  • Any application not using OPC Classic DA or A&E client or server

General Relevant Product information

Is OPC UA available in this product as an alternative?  Yes
  • OPC UA Server - DataHub Supports OPC UA Generic Data (i.e. real-time, DA type data), Alarms & Conditions (V10+), and Historical data(V10+).
  • OPC UA Client - DataHub supports OPC UA Generic Data (i.e. real-time, DA type data) and Alarms & Conditions (V10+)
  • We highly recommend you run the most current version of DataHub for most secure, robust, performant, and capable OPC UA support.
Operating System Support Details see the Cogent DataHub specifications FAQ
Respects Component Services Settings? Yes, but is user configurable using the COM Security checkbox in DataHub, see product specific details in this FAQ.
Uses Hard-Coded Co-Initialize security Calls? No, unless user has configured the product otherwise (enabled the COM Security checkbox in DataHub), see product specific details in this FAQ.
DataHub Version Specific Recommendations: 
Take the action recommended for your version and then follow the product specific settings recommendations in this FAQ.
  • Version 7 & Version 8: We recommend you upgrade to version 10 or higher. Version 7 has reached end-of-life and Version 8 has reached end-of-life as of January 1, 2025.
  • Version 9:  Upgrade to version 10 or higher - contact us to obtain. Version 9 has reached end-of-life as of January 1, 2025.
  • Version 10:  Download latest V10 from the DataHub website 
We strongly recommend running the most current version of the product and reserve the right to limit support for non-current software. 
Obtaining Current Product Versions - Users on active support & maintenance agreements are entitled to update at no additional cost. Current version is available on the Cogent DataHub websiteContact us with your license details to check your support status and if necessary, obtain quote for reinstatement of support & maintenance

Disclaimer: Even though we recommend running specific versions, one will need to properly configure DCOM to mitigate the DCOM Hardening changes regardless of the DataHub Version one decides to run. 

 

Product Specific Settings Recommendations

Cogent DataHub software uses two different DCOM settings depending on its configuration.  In the OPC DA option of the DataHub Properties dialog there is a setting: “Attempt to override application DCOM setting with minimum security settings”.  We recommend keeping this setting disabled to ensure DataHub uses your settings in Windows Component Services. The DataHub runtime engine MUST be restarted after making any change to these settings. You may also request our free detailed Remote OPC DA Classic (DCOM) Configuration Guide here with recommendations for DCOM setting configuration on OPC DA client and server machines where connections will be remote (client and server on separate machines).
  • If this option is NOT selected, the connection will use the authentication level configured through the Windows Component Services dialog.  This will normally be set to “Default” and the connection will continue to work.  If the “Authentication Level” has been set in the Component Services dialog to a different value, you must set it to one of “Default”, “Packet Integrity” or “Packet Privacy”.
  • If this option is selected, versions of DataHub prior to 9.0.11 will be attempting to use more lax security settings, but required by the operating system to use “Packet” authentication level after the updates described in the KB5004442 advisory are enabled, and the DCOM/remote connection will fail.  
    • In this case, update your version of the DataHub application to 9.0.11 (or higher) or to version 10.  
    • These new versions use “Default” authentication level, meaning the settings in Windows Component Services will be used.  
    • Alternatively, you can disable this option in the DataHub OPC DA properties.  Disabling this option may require you to change COM permissions on the DataHub application through the Windows Component Services dialog.
4018 - DataHubDCOMSetting

Troubleshooting a failed connection

If your OPC connections fail after KB5004442 is applied and enforced, follow these steps:
  1. If the current time is before March 2023, you could apply the registry entry referenced in KB50004442 as a short term solution.
  2. In the DataHub, confirm that you have followed the directions above regarding the DataHub DCOM setting. 
  3. Confirm that the client’s authentication level in the Component Service dialog is set to “Default”, “Packet Integrity” or “Packet Privacy”.
  4. If the OPC client is a DataHub instance, update your DataHub installation to V9.0.11 or higher.
  5. Contact other vendors of the other OPC client or server software for an update that addresses this issue
Remember that if you make any changes to DCOM settings in Component Services or the DataHub, you MUST restart the DataHub runtime for the product to know about the changes. If they make changes on a remote OPC client or server side, the remote application must also be restarted. This is the nature of DCOM settings because applications using DCOM can only get their security settings one time at startup. 
If an external OPC client or server uses hard coded security settings as discussed in our general hardening FAQ and no updates are available from the vendor, you will not be able to use it for networked connections. 
 You have two options:
  1. Use the DataHub OPC tunneller to convert the existing networked connection into a local connection.
  2. Use the DataHub OPC Gateway to convert the application to OPC UA
Download a free DataHub trial or contact us if you have questions or want to discuss an OPC Gateway or tunneling application. 
 
After March 14, 2023, because you will no longer be able to disable the KB5004442 changes with a registry entry, you must have prepared any affected systems requiring changes by adjusting your computers' global DCOM Authentication Level setting to use the Packet Integrity option (per the screenshot below), made the required changes to your DataHub instances described above, migrated to OPC UA, or implemented another DCOM alternative. Because DataHub supports native OPC DA/UA conversion and secure OPC tunneling, we do NOT recommend that you use DataHub with DCOM when such reliable alternatives are available. 
Default_DCOM_Authentication_Level
 
Disclaimer: You are ultimately responsible to work with your IT/OT teams on handling the changes to your systems. Software Toolbox support cannot and will not make changes to customer systems for them. This information is provided for reference and is based on our best commercially reasonable efforts to gather, validate and aggregate this knowledge and is provided under and subject to our standard terms and conditions.