[German]There was a vulnerability in Microsoft's Windows DCOM implementation that allows security features to be bypassed. Microsoft has documented and patched this, and plans to release a final one in March 2023, however. Security vendor OTORIO has released an open source DCOM hardening toolkit for OT systems in advance, which companies can use to analyze their DCOM environments and harden them if necessary.
Advertising
DCOM vulnerability CVE-2021-26414
The OPC Data Access (OPC DA) protocol was introduced in 1995 to enable the communication of real-time data between the programmable logic controller (PLC/PLC) and software in OT networks. However, OPC DA is based on DCOM technology, which has security vulnerabilities. In 2008, Microsoft introduced the non-DCOM OPC Unified Architecture (OPC UA) protocol, but many industrial companies still use OPC DA.
In 2021, Microsoft acknowledged a critical vulnerability in its DCOM protocol and announced a hardening patch to strengthen authentication between DCOM clients and servers. To minimize service disruptions, the patch was released in phases.
- The first patch introduced the ability to enable hardening of weak authentication layers in DCOM, but was disabled by default.
- The second patch enforced hardening by default with the option to disable it.
- The rollout of the third DCOM hardening patch had automatically elevated all non-anonymous activation requests from DCOM clients.
- On March 14, 2023, Microsoft will issue a new patch that removes the option to enable unsecured DCOM altogether.
Microsoft has published the support article KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) and states that the following Windows versions are affected:
- Windows 11 21H2 – 22H2
- Windows Server 2022
- Windows 10, version 2004 – 21H1, Windows Server, Vvrsion 20H2
- Windows 10 Enterprise, version 1909
- Windows 10 IoT Enterprise, version 1909
- Win 10 Enterprise LTSC version 2019
- Windows 10 IoT Enterprise LTSC version 2019
- Windows Server 2019
- Windows 10, Version 1607, Windows Server 2016
- Windows 8. 1, Windows Server 2012 R2
- Windows Embedded 8.1 Industry Enterprise
- Windows Server 2012
- Windows Embedded 8 Standard
- Windows 7, Windows Server 2008 R2
- Windows Embedded Standard 7 ESU
- Windows Embedded POSReady 7 ESU
- Windows Thin PC Windows Server 2008
Windows 7 SP1 and Windows 8.1 will probably no longer receive security updates in March 2023, as they have fallen out of support.
OTORIO DCOM Hardening Toolkit for OT Systems
Security vendor OTORIO has now released the open source-based Microsoft Distributed Component Object Model (DCOM) Hardening Toolkit on GitHub. The goal is to protect operational technology (OT) systems from potential issues related to an upcoming Microsoft patch. The standalone open source toolkit can be used by all organizations to identify weak applications for DCOM authentication and provide temporary workarounds. OTORIO RAM² users also have automatic access to a new Safe Active Query alert that provides detection across the network.
Advertising
OTORIO's DCOM Hardening Toolkit allows users to quickly determine if their networks contain unsecured DCOM that is rendered unusable by the new patch. It then provides remediation instructions to ensure that organizations maintain full control of their OT devices.
RAM² from OTORIO collects and analyzes multiple data sources present in the OT environment. These include Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC/PLC), Distributed Control Systems (DCS), historical databases, engineering systems and more. The solution then enriches this analysis with operational context, vulnerabilities and exposures to assess the security posture and identify and prioritize OT security threats.
