ID: PN1581 | Access Levels: EveryoneProduct Notification 2022-01-001 – Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (CVE-2021-26414)ID: PN1581 | Access Levels: Everyone

Summary

Product Notification 2022-01-001 – Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (CVE-2021-26414)

Reference

2022-01-001

Revision History

Revision Number

H

Revision History

Original release – January 2022.
Revision A / February 2022 – This notification has been revised to provide clarification to wording around MS KB5004442 and CVE-2021-26414. The Microsoft patch dates have been updated in the Temporary Workarounds and Recommended Customer Action sections. The Product Identification section products have been updated. The Correction section products and versions have been updated. Please read this revised notification in its entirety.
Revision B / March 2022 – This notification has been revised to provide clarification to wording in the Requested Customer Action section. The FactoryTalk® Batch and ThinManager® versions in the Correction section have been updated. Please read this revised notification in its entirety.
Revision C / March 2022 – This notification has been revised to reference Rockwell Automation Knowledgebase articles related to Rockwell Automation’s response to the DCOM changes Microsoft is making to address CVE-2021-26414 in the Requested Customer Action section. Please read this revised notification in its entirety.
Revision D / April 2022 – This notification has been revised to provide clarification to the products in the Product Identification section and the wording in the Correction and Requested Customer Action sections. Please read this revised notification in its entirety.
Revision E / May 2022 – This notification has been revised to remove FactoryTalk® Edge Gateway™. ThinManager® v10.00 has been removed from the Correction section. Please read this revised notification in its entirety.
Revision F / June 2022 – This notification has been revised to add FactoryTalk® Batch v15.00 to the Correction section. Please read this revised notification in its entirety.
Revision G / July 2022 – This notification has been revised to provide clarification that FactoryTalk® EnergyMetrix™ is indirectly affected in the Product Identification section and to remove FactoryTalk® EnergyMetrix™ from the Correction section. Please read this revised notification in its entirety.
Revision H / March 2023 – This notification has been revised to clarify how Rockwell Automation® software products use anonymous and non-anonymous DCOM authentication levels. Understanding the usage is important for understanding how recent Microsoft® changes affect the available options for mitigating the impact of Microsoft DCOM Hardening. Please read this revised notification in its entirety.

Introduction

This Product Notice informs you of potential anomalies that exist with Rockwell Automation® products that may be unable to establish proper DCOM connection after installing a Microsoft® Windows Cumulative update that includes DCOM hardening changes to address CVE-2021-26414 as described in MS KB5004442 – Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). Since Microsoft introduced this change, they have made a number of recent changes and disclosures in their approach.

Microsoft responded to this DCOM vulnerability (CVE-20210-26414) in stages with most of the details documented in their KB5004442 article referenced above. When these Microsoft updates are finalized and the new policies enforced, Microsoft operating systems will require all non-anonymous DCOM communications to use a minimum level of DCOM authentication called Packet Integrity. This is commonly referred to as DCOM Hardening. Microsoft operating systems will not enforce DCOM hardening for anonymous DCOM communications.

Many Rockwell software products use either anonymous or non-anonymous DCOM authentication when creating a connection between two computers. Rockwell Automation products may be directly or indirectly affected by Microsoft’s patch. For example,
•    ThinManager® is directly affected because it uses DCOM between the ThinManager® UI and a remote ThinServer™ service
•    Studio 5000 Logix Designer® is indirectly affected because it uses FactoryTalk® Services, specifically FactoryTalk® Security, and FactoryTalk® Services uses DCOM between the FactoryTalk® Directory server and FactoryTalk® Directory client
•    FactoryTalk® Product Management is indirectly affected because it uses FactoryTalk® ProductionCentre®, and FactoryTalk® ProductionCentre® uses FactoryTalk® Services and FactoryTalk® Live Data

Product Identification

The Active and Active Mature products listed below are directly affected by the Microsoft DCOM Hardening patch:

Directly Affected Products
FactoryTalk® ServicesRSLinx® ClassicFactoryTalk® LinxFactoryTalk® Linx GatewayFactoryTalk® Linx Data BridgeFactoryTalk® Linx OPC UA ConnectorFactoryTalk® Alarms and EventsFactoryTalk® View Site EditionFactoryTalk® ViewPointFactoryTalk® BatchThinManager®FactoryTalk® ProductionCentre®FactoryTalk® Transaction ManagerFactoryTalk® VantagePoint®KEPServer EnterprisePavilion8®Emonitor® Condition Monitoring SoftwareAADvance® OPC PortalAADvance® OPC StandaloneTrusted® OPC Portal

The Active and Active Mature products listed below are indirectly affected by the Microsoft DCOM Hardening patch:

Indirectly Affected Products
FactoryTalk® Policy ManagerFactoryTalk® System ServicesFactoryTalk® Linx CommDTMControlFLASH™ControlFLASH Plus™Studio 5000 Logix Designer®Studio 5000 View Designer®Studio 5000® Logix Emulate™Studio 5000 Architect®FactoryTalk® Logix EchoFactoryTalk® AssetCentreFactoryTalk® Historian SEApplication Code ManagerFactoryTalk® View Machine EditionRSNetWorx™RSLogix 5000®RSLogix 500®RSLogix™ 5FactoryTalk® MetricsFactoryTalk® Production ManagementFactoryTalk® Quality ManagementFactoryTalk® Warehouse ManagementFactoryTalk® EI HubFactoryTalk® PharmaSuite®FactoryTalk® AutoSuiteFactoryTalk® CPGSuite®FactoryTalk® Analytics™ EdgeMLFactoryTalk® Analytics™ DataViewFactoryTalk® Analytics™ DataFlowMLFactoryTalk® Analytics™ AugmentedModelerFactoryTalk® Historian -ThingWorx ConnectorFactoryTalk® EnergyMetrix™

The Active and Active Mature products listed below are unaffected by the Microsoft DCOM Hardening patch:

Unaffected Products
FactoryTalk® Activation ManagerFactoryTalk® UpdaterStudio 5000® Add On ProfilesPanelView™Plus 6 / 7PlantPAx® MPCPlantPAx® Process Object Online Configuration ToolConnected Components Workbench™FactoryTalk® Historian ME

The following products’ lifecycle state is End of Life or Discontinued. No action is planned to address the Microsoft DCOM Hardening patch, regardless of the effect on the product, based on the lifecycle state:

End of Life or Discontinued Products
FactoryTalk® Performance ManagementRSView®32 (Active Display)GuardPLC™ OPC Server

Description

Potential anomalies exist with Rockwell Automation products that may be unable to establish proper DCOM connection after installing a Microsoft Windows Cumulative update that includes DCOM hardening changes to address CVE-2021-26414 as described in MS KB5004442 – Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). Since Microsoft introduced this change, they have made a number of recent changes and disclosures in their approach.

Microsoft responded to this DCOM vulnerability (CVE-20210-26414) in stages with most of the details documented in their KB5004442 article referenced above. When these Microsoft updates are finalized and the new policies enforced, Microsoft operating systems will require all non-anonymous DCOM communications to use a minimum level of DCOM authentication called Packet Integrity. This is commonly referred to as DCOM Hardening. Microsoft operating systems will not enforce DCOM hardening for anonymous DCOM communications.

Many Rockwell software products use either anonymous or non-anonymous DCOM authentication when creating a connection between two computers. Rockwell Automation products may be directly or indirectly affected by Microsoft’s patch. For example,
•    ThinManager® is directly affected because it uses DCOM between the ThinManager® UI and a remote ThinServer™ service
•    Studio 5000 Logix Designer® is indirectly affected because it uses FactoryTalk® Services, specifically FactoryTalk® Security, and FactoryTalk® Services uses DCOM between the FactoryTalk® Directory server and FactoryTalk® Directory client
•    FactoryTalk® Product Management is indirectly affected because it uses FactoryTalk® ProductionCentre®, and FactoryTalk® ProductionCentre® uses FactoryTalk® Services and FactoryTalk® Live Data

Directly affected unpatched Rockwell Automation products use either anonymous or non-anonymous DCOM authentication when establishing a DCOM connection between two computers. Anonymous authentication means the product process specifies a DCOM authentication level of None when establishing a DCOM connection. Nonanonymous authentication means the product process uses a DCOM authentication level other than None when establishing a DCOM connection. The following table shows what DCOM authentication level is used by which directly affected unpatched product:

Directly affected unpatched product usesAnonymousNon-anonymous
FactoryTalk® ServicesYesNo
FactoryTalk® LinxYesNo
FactoryTalk® Linx GatewayYesNo
FactoryTalk® Linx Data BridgeYesNo
RSLinx® ClassicYesNo
FactoryTalk® View Site EditionYesNo
FactoryTalk® ViewPointYesNo
FactoryTalk® BatchYesYes
ThinManager®NoYes
FactoryTalk® Transaction ManagerYesNo
** Emonitor® Condition Monitoring SoftwareYesNo
** FactoryTalk® ProductionCentre®NoYes
** FactoryTalk® VantagePoint®YesNo
** Pavilion 8®YesNo

Microsoft implemented several changes to DCOM Hardening since the June 2022 Windows Cumulative Update.

Microsoft Release DateMicrosoft Rollout Phase
June 8, 2021Windows DCOM security updates are implemented but are disabled by default
June 14, 2022Windows DCOM security updates are enabled by defaultA Microsoft registry key can disable these Microsoft changes
November 8, 2022Anonymous DCOM authentication is automatically elevatedNon-anonymous DCOM authentication can be automatically elevated using a Microsoft registry key
March 14, 2023Windows DCOM hardening is enabled by defaultWindows DCOM hardening can no longer be disabledAnonymous and non-anonymous DCOM authentication is automatically elevated by default

Microsoft made two changes, late in 2022, to the automatic escalation of DCOM authentication level. These changes address the following issues:
•    Correct automatic elevation of anonymous DCOM connections to use Packet Integrity which eliminates spurious Windows Event error messages when products use anonymous DCOM connections.
•    Implement automatic elevation of non-anonymous DCOM connection to use Packet Integrity.

Temporary Workaround

Following application of Microsoft’s June 14, 2022 Windows Cumulative Update and until Microsoft’s March 14, 2023 Windows Cumulative Update is applied, use the temporary workaround Microsoft describes in MS KB5004442 to disable the Microsoft DCOM hardening.

Important: After deploying Microsoft’s March 14, 2023, final update it is no longer possible to disable Microsoft’s DCOM Hardening patch. After deploying Microsoft’s March 14, 2023, update the only mitigation available is to apply Rockwell Automation patches to affected products.

For Classic OPC-DA communications consider moving clients and servers to operate on the same workstation or migrate the system to replace Classic OPC-DA with OPC UA.

Correction

Since the announcement of Microsoft’s plan to implement DCOM hardening in June 2021 Microsoft has made refinements to their DCOM hardening approach. These refinements remove the absolute need patch Rockwell Automation’s directly affected software products following application of Microsoft Windows Cumulative Updates from June 2022 onward. Rockwell Automation recommends patching or updating directly affected Rockwell Automation software products. Once patched administrators have more control over the DCOM authentication level used by directly affected Rockwell Automation products. Once patched directly affected Rockwell Automation products will use non-anonymous DCOM connections; the default DCOM authentication level used by patched directly affected Rockwell Automation products is Packet Integrity.

If patching Rockwell Automation directly affected products is an option, following Rockwell Automation’s version lifecycle policy, patches are available for Preferred and Managed versions of directly affected products as shown below. Indirectly affected product’s operation can be corrected by applying patches for directly affected products.

Affected ProductVersions   Monthly Rollup
FactoryTalk® Services6.21, 6.20, 6.11, 6.10, 3.00, 2.90Apr 2022
FactoryTalk® Linx6.21, 6.20, 6.11, 6.10, 6.00, 5.90Apr 2022
FactoryTalk® Linx Gateway6.21, 6.20, 6.11, 6.10, 6.00, 3.90Apr 2022
FactoryTalk® Linx Data Bridge6.21.01, 6.20, 6.11Apr 2022
FactoryTalk® Linx OPC UA Connector6.21.01, 6.20, 6.11, 6.10, 6.00Apr 2022
RSLinx® Classic4.21, 4.20, 4.12, 4.11, 4.10, 4.00.01Apr 2022
FactoryTalk® Alarms and Events6.21, 6.20, 6.11, 6.10, 3.00, 2.90May 2022
FactoryTalk® View Site Edition12.00, 11.00, 10.00, 9.00May 2022
FactoryTalk® ViewPoint12.00, 11.00, 10.00, 9.00May 2022
FactoryTalk® Batch15.00, 14.00, 13.00.02Jul 2022
FactoryTalk® Transaction Manager13.10, 13.00, 12.10, 12.00May 2022
ThinManager®12.01, 12.00, 11.02May 2022
** ThinManager®11.01, 11.00 
** Emonitor® Condition Monitoring Software4.00 
** FactoryTalk® ProductionCentre®10.04, 10.03, 10.02, 10.01 
** FactoryTalk® VantagePoint®8.31, 8.30, 8.20, 8.10, 8.00, 7.00 
** Pavilion 8®5.17.01, 5.17.00, 5.16, 5.15.01, 5.15 

** Products do not participate in Rockwell Automation monthly patch rollup. Download individual patch(es).

If you are using versions of directly affected Rockwell Automation products, or it is not possible to apply Rockwell Automation patches, or to upgrade to newer product versions for which patches are available, and it is required to apply a recent Windows Cumulative Update, released since June 2022, follow these recommendations:

  • Apply Windows update shown below to ensure correct automatic elevation of anonymous DCOM connections to use Packet Integrity which eliminates spurious Windows Event error messages when unpatched Rockwell Automation products use anonymous DCOM connections
     Operating SystemUpdateFirst availableWindows Server 2012 R2KB50223521/10/2023Windows 10 2015 LTSCKB50222971/10/2023Windows Server 2016/Windows 10 1607 LTSCKB502123512/13/2022Windows Server 2019/Windows 10 1809 LTSCKB502123712/13/2022Windows 10 20H2/21H2/22H2KB501848210/25/2022Windows Server 2022KB501848510/25/2022Windows 11 21H2KB501848310/25/2022Windows 11 22H2KB501849610/25/2022
  • Apply Windows update shown below to implement automatic elevation of non-anonymous DCOM connections to use Packet Integrity
     Operating SystemUpdateFirst availableWindows Server 2012 R2KB502002311/8/2022Windows 10 2015 LTSCKB501997011/8/2022Windows Server 2016/Windows 10 1607 LTSCKB502123512/13/2022Windows Server 2019/Windows 10 1809 LTSCKB502123712/13/2022Windows 10 20H2/21H2/22H2KB501848210/25/2022Windows Server 2022KB501848510/25/2022Windows 11 21H2KB501848310/25/2022Windows 11 22H2KB502004410/25/2022
    To apply automatic elevation of non-anonymous DCOM connections, if you cannot apply the Windows update listed above, you can manually create the RaiseActivationAuthenticationLevel registry key and set the value to 2. For more details refer to Microsoft KB5004442.

The operation of KEPServer Enterprise, AADvance OPC Portal, AADvance OPC Standalone, and Trusted OPC Portal can be corrected by adjusting the DCOM Authentication Level of the application service using the Windows DCOM configuration utility (DCOMCNFG.EXE). Set the DCOM Authentication Level to DefaultPacket Integrity, or Packet Security. No patch is required.

For Classic OPC-DA communications consider moving clients and servers to operate on the same workstation.

If you would like to receive a notice when the patches or newer versions are released, a link is provided at the end of the Knowledgebase article for this Product Notice.

Request Customer Action

Rockwell Automation requests you take the following actions:

  • Check if you have a product affected by this Product Notice. Refer to the Product Identification and Description sections of this document for product identification assistance.
  • Review Rockwell Automation Knowledgebase articles related to Rockwell Automation’s response to the DCOM changes Microsoft is making to address CVE-2021-26414.  For convenience all Rockwell Automation articles are being collated on a single Table of Content article IN39461 – Microsoft DCOM Hardening Information TOC.
  • Review the following guidance related to Microsoft’s phased delivery of Windows Cumulative Updates that implement DCOM hardening
Microsoft
Release Date
Microsoft Rollout PhaseRecommended Action
Between June 8, 2021 and June 13, 2022Windows DCOM security updates are implemented but are disabled by defaultNo action necessaryInventory the Rockwell Automation products and versions in use to understand the future actions may be required
Between June 14, 2022 and March 13, 2023Windows DCOM security updates are enabled by defaultA Microsoft registry key can disable these Microsoft changesAnonymous DCOM authentication is automatically elevatedA Microsoft registry key can be used to automatically elevate non-anonymous DCOM authenticationTake one or more of the following actions:Disable the Microsoft DCOM security updates as described in Microsoft KB5004442As described in the Correction sectionIf possible, install Rockwell Automation patches for all directly affected products; or update all Rockwell Automation directly affected products to the most current version released after February 2022If it is not possible to patch or update Rockwell Automation products, apply a recent, late 2022, Windows Cumulative Updates to correct and apply automatic escalation for both anonymous and non-anonymous DCOM connectionsIn a mixed system with Rockwell Automation and non-Rockwell Automation products, install Rockwell Automation patches for all directly affected products; or update all Rockwell Automation directly affected products to the most current version released after February 2022 so there is control over the DCOM authentication level being used between clients and servers.If necessary, move Classic OPC-DA clients and servers to the same workstation
March 14, 2023Windows DCOM security updates are enabled by defaultMicrosoft DCOM changes can no longer be disabledAnonymous and non-anonymous DCOM authentication is automatically elevatedTake one or more of the following actions:As described in the Correction sectionIf possible, install Rockwell Automation patches for all directly affected products; or update all Rockwell Automation directly affected products to the most current version released after February 2022If necessary, move Classic OPC-DA clients and servers to the same workstation
  • Customers under support contract are automatically eligible for software updates. Customers not under a support contract should contact Rockwell Automation for further instructions.
  • If you need additional assistance, please contact Rockwell Automation Technical Support. Refer to the attached document’s appendix for local telephone numbers. Customers without TechConnect℠ support contracts should reference this Product Notice when calling.
  • Customers with TechConnect support contracts may be able to chat online with support representatives. Reference this Product Notice when connected to a support engineer.

Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart