Unable to establish OPC DA connection after installing patch for CVE-2021-26414

Microsoft is releasing multiple updates that address CVE-2021-26414. This will increase the minimum authentication level of DCOM connections to packet integrity. OPC-DA also known as OPC Classic uses DCOM to establish connections and is therefore affected by this change. This means that any OPC Classic client that doesn't support the authentication level packet integrity and relies on DCOM will not be able to connect to remote OPC Classic servers after the DCOM security update is enforced.

The vulnerability is addressed by Microsoft in a phased rollout:

1. June 8, 2021: Initial deployment of update package - Customers can verify their applications.
2. June 14, 2022: Hardening of DCOM servers is enabled programmatically by default, but can be disabled via registry key.
3. March 14, 2023: Enables hardening of DCOM servers by default and the ability to disable the hardening is removed.

A detailed description of the timeline and the registry keys along with new DCOM error events, can be found in the Knowledge Base article KB5004442.

ibaPDA
All versions prior to v7.3.11
In ibaPDA v7.3.11 the default authentication level was raised to packet integrity (5), in earlier versions it was set to connect (2).

Check the version number in the title of the status application on the system where the server is running.

Update to ibaPDA Version v7.3.11 or higher to be able to connect to OPC DA servers which have set their authentication level to packet integrity.

Resources

1. Microsoft MSRC
2. KB5004442 - Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
3. Common Vulnerabilities and Exposures - CVE-2021-26414
4. NIST - NATIONAL VULNERABILITY DATABASE