Use the search and browse feature to view Kepware's repository of more than 500 Knowledge Base articles. Narrow your results or type your query into the search field below.

Search Solutions Results By: View All Solutions

Kepware Knowledge Base: Solution


Do the Meltdown and Spectre patches impact Kepware products?


Last Update: 11/12/2018

Not directly. The Windows Updates, however, can impact OPC DA, OPC AE, and OPC HDA communications with KEPServerEX.


Background

A discovered vulnerability in processor chips can allow malicious programs running with few permissions to access information those programs do not own and should not access. Local access is required to perform this exploit. Microsoft has released updates to the operating systems of affected devices to tighten security and reduce risk. These updates can affect communications and client access.


Since the original publication of this article, Microsoft has released new patches without these problems. Below is a summary of initial patches and updated patches that do not suffer the communications problems. The below solution is only necessary if the recommended patches are not installed.


Windows 10 version 1507 Enterprise

Introduced in: KB4056893

Fixed in: KB4075199

Windows 10 version 1511

Introduced in: KB4056888

Fixed in: KB4075200

Windows 10 version 1607, Windows Server 2016

Introduced in: KB4056890

Fixed in: KB4057142

Windows 10 version 1703

Introduced in: KB4056891

Fixed in: KB4057144

Windows 10 version 1709

Introduced in: KB4056892

Fixed in: KB4073291 (x86), KB4058258

Windows Server 2012 Standard

Introduced in: KB4056896, KB4056899

Fixed in: KB4057402

Windows Server 2012 R2 Standard

Introduced in KB4056898

Fixed in KB4057402


Performance

There were some initial reports of some applications having degraded performance following the installation of the patches. Although not exhaustive, Kepware's testing showed no noticeable difference in driver performance after installing the Microsoft patches.

Different hardware platforms can be impacted differently, but Kepware's limited testing revealed no noticeable performance degradation. The performance testing was performed on Windows 7 Pro using the Haswell processor architecture.


Details

Microsoft updates (specific numbers below) contain a known issue that causes a programmatic call of CoInitializeSecurity to fail if attempting to set Default Authentication Level to RPC_C_IMP_LEVEL_NONE or the Default Impersonation Level to RPC_C_AUTHN_LEVEL_NONE.

CoInitializeSecurity is a COM function that is optionally used to register and set security values for a process. If a process does not call this function, security is set according to the values saved in the registry and adjusted using Component Services. Fortunately, Kepware products default to using the registry for setting up DCOM and are not susceptible to the known issue in the update. However, it does have an option to disable DCOM switch to a pre-configured CoInitializeSecurity call.


CAUTION: It is important to independently test and validate all Microsoft patches in the actual environment to ensure the proper functioning. Microsoft has noted performance implications after applying these patches, so testing specific applications and interfaces is highly recommended.


Problems after Windows Update:

  • Client applications can no longer connect to KEPServerEX.
  • OPC DA Client driver can no longer connect to other OPC DA servers.
  • OPC Quick Client cannot browse to a local instance of KEPServerEX.

Solutions:

Prevent KEPServerEX from calling CoInitializeSecurity by enabling the use of DCOM settings.

  1. Right-click on the KEPServerEX Administration icon in the System Tray and select Settings.
  2. Click to view the Runtime Options tab.
  3. Under the OPC Connection Security group, verify the Use DCOM configuration settings option is enabled (default).
  4. Configure DCOM according to the Remote OPC DA Quick Start guide.


Prevent OPC Quick Client from calling CoInitializeSecurity by enabling the use of DCOM settings.

  1. Launch OPC Quick Client.
  2. Select Tools | Options.
  3. Ensure Use DCOM for remote security is checked.
  4. Close and re-launch OPC Quick Client.
Ensure that client server applications interacting with KEPServerEX do not programmatically call CoInitializeSecurity using RPC_C_IMP_LEVEL_NONE and RPC_C_AUTHN_LEVEL_NONE.


Microsoft Update KBs that have this known issue:

https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890

https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056891

https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056892

https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056893

https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056895

https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056898


Kepware and PTC are currently evaluating and validating initial test findings and guidance from Microsoft. This article will be updated if there are any additional recommendations.