Log In
Home
02/13/2018
Offline
Dear All,
Microsoft has identified some vulnerabilities at DCOM
ref: https://msrc.microsoft.com/upd.....2021-26414.
https://support.microsoft.com/.....ed901c769c
If we enable this DCOM Hardening it's working fine with the local OPC server.
But not working with Remote OPC Server. If we try to connect remote OPC Server with local OPC Client its throw "E_NETWORK_ERROR"(nca_s_fault_access_denied).
Any solution or workaround for this MS Patch?
05/30/2017
Offline
Thank you for bringing this to our attention.
I have raised the issue with our contacts at Microsoft to get more information.
Based on my reading of the available information I suspect that many OPC applications will have to change the parameters they pass to CoCreateInstance or CoInitializeSecurity.
Are you in a position to modify the client and server code to experiment with different parameters?
Correct links are:
02/13/2018
Offline
Hi,
Thanks for the immediate response.
Currently, we are not in the position to modify either client or server.
If you received any more updates from Microsoft please update here.
Is it impact all OPC Servers and clients?
05/30/2017
Offline
At this point your options are:
1) Use an OS other than Windows 10 or Windows Embedded 8.1;
2) Update your applications to call RpcBindingSetAuthInfo() and set the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY flag (needs confirmation).
3) Use local DCOM + OPC UA Gateway to provide remote access;
4) Use local DCOM + OPC DCOM tunneler to provide remote access.
02/13/2018
Offline
Hi,
1. We tested with all Microsoft Windows OS (10, 2016, 2019...) it's not working
2. Please update confirmation set the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY flag will resolve our issue
3. Can you please share DCOM + OPC UA Gateway links if any and
4. Can you please share DCOM + OPC DCOM tunneler links if any
Thanks
05/30/2017
Offline
1) Did you check Windows 7?
Note that using an end of life Windows OS is generally a bad idea but a lot of existing factory systems do have old systems and should be unaffected by the change but will still be affected by the security vulnerability that led MS to make the change in the first place.
2) Someone who has this problem and has access to their COM client/server code needs to verify that this fix works.
3) Example of a COM to UA gateway:
https://www.unified-automation.....teway.html
Any product that works as a 'protocol converter' such as KepServerEx could also be used.
4) Example of a DCOM tunneller:
02/24/2014
Offline
Regarding RpcBindingSetAuthInfo(), do we know if it needs to be set on the client, on the server, or both? Only on the computer that has the Microsoft patch installed, or, if the patch is installed at either side, then the RpcBindingSetAuthInfo() call needs to be made at both sides? If it indeed fixes the problem with the Microsoft patch, do we know if using it is harmless on systems that do not have the patch, etc.? - the questions are many.
Is there any guidance on how the call should be made? I have quickly looked at the documentation (https://docs.microsoft.com/en-.....etauthinfo ), and, because it is at the RPC level and not the DCOM level, it is unclear to me how to use it - where to get the RPC_BINDING_HANDLE and other information.
Regards
02/13/2018
Offline
Dear All,
We identified one quick workaround is
Dcomcnfg.exe -> My Computer -> Properties -> Default Properties ->
Set "Default Authentication Level" is "Packet Integrity" from "connect"
Please update if you have any other suggestions.
1 Guest(s)
Usage Policy