Product Advisory - OSTS
Date: June 9, 2022
Subject: OPC Server Transfer Service (OSTS) v220.127.116.11 Upgrade to Address Windows DCOM Server Security Feature Bypass (CVE-2021-26414) is Now Available
Operational Impact: High
Microsoft has released a security update that changes how the Windows OS enforces DCOM security due to a discovered vulnerability. Specifically, the vulnerability being addressed in the OPC Server Transfer Service (OSTS) v18.104.22.168 release is CVE 2021 26414.
DCOM is a component that allows the OSTS product to communicate with OPC servers. Microsoft is now rolling out products containing the new DCOM security features that are enabled by default. The associated Windows update is not compatible with OSTS versions prior to v22.214.171.124, putting customers at risk of a stoppage in data flow. Therefore, Owl rates this advisory as “Critical” and operational impact as “High”.
Owl customers should be rest assured that the one-way design of the core Owl data diode technology prevents bad actors from using this identified vulnerability to create exploits that can threaten your protected facilities. OSTS has been updated to allow it to work with the Windows DCOM Server Security Feature Vulnerability update.
Affected Products: OPDS-5D, OPDS-100D, OPDS-100, OPDS-1000, OPDS-MP, EPDS, and other variants.
Course of Action: Owl strongly recommends that customers upgrade to OSTS v126.96.36.199. Customers with current software maintenance contracts can request a copy of this software release by clicking on the link below.
Download a PDF copy of this Advisory