Product Advisory - OSTS

Owl's OPC Server Transfer Service (OSTS) and Microsoft's DCOM vulnerability (CVE 2021 26414)

Date: June 9, 2022

Subject: OPC Server Transfer Service (OSTS) v2.2.3.0 Upgrade to Address Windows DCOM Server Security Feature Bypass (CVE-2021-26414) is Now Available

Importance: Critical

Operational Impact: High

Advisory Description:

Microsoft has released a security update that changes how the Windows OS enforces DCOM security due to a discovered vulnerability. Specifically, the vulnerability being addressed in the OPC Server Transfer Service (OSTS) v2.2.3.0 release is CVE 2021 26414.

DCOM is a component that allows the OSTS product to communicate with OPC servers. Microsoft is now rolling out products containing the new DCOM security features that are enabled by default. The associated Windows update is not compatible with OSTS versions prior to v2.2.3.0, putting customers at risk of a stoppage in data flow. Therefore, Owl rates this advisory as “Critical” and operational impact as “High”.

Owl customers should be rest assured that the one-way design of the core Owl data diode technology prevents bad actors from using this identified vulnerability to create exploits that can threaten your protected facilities. OSTS has been updated to allow it to work with the Windows DCOM Server Security Feature Vulnerability update.

Affected Products: OPDS-5D, OPDS-100D, OPDS-100, OPDS-1000, OPDS-MP, EPDS, and other variants.

Course of Action: Owl strongly recommends that customers upgrade to OSTS v2.2.3.0. Customers with current software maintenance contracts can request a copy of this software release by clicking on the link below.

Download a PDF copy of this Advisory

Contact Support