Security Announcements

Announcements and statements regarding industry security news can be found here.


Updates

Update 5: Newer updates to Microsoft Security Intelligence, starting at 1.403.870 (21 Dec 2023) and onwards, seem to have resolved the issue as specified by SE here: Microsoft Update Testing Please update to the latest Security Intelligence version to avoid additional conflicts. It is still recommended to follow the exceptions as specified in the Schneider-provided article here: Anti-malware Configuration

Update 4: Subsequent updates to Microsoft Security Intelligence are still not allowing Geo SCADA to proceed unhindered, with SE and Microsoft still working on the issue. The guidance is still to refrain from updates before 14 December and/or to establish exceptions in the security software for Geo SCADA. Please refer to the following guide for a discussion on exclusions for anti-malware software: Anti-malware Configuration

Update 3: Microsoft is aware of the issue and will include a correction in an upcoming update to Defender Security Intelligence. We are awaiting confirmation of the appropriate version we should watch for. In addition, Schneider Electric is working on resolving this in the December 2023 releases of Geo SCADA 2020/2021/2022 by utilizing a different digital signature on their software components. The December 2023 release will be made available as soon as possible.

Update 2: Schneider Electric has updated the Microsoft Update testing page to indicate the known issue with Defender here: Microsoft Update Testing

Update 1: Please review SE’s post on the official EcoStruxure Geo SCADA Expert Forum here: Windows Defender update falsely detects some Geo SCADA files

Affected Software Versions

Geo SCADA releases made from December 2022 to September 2023 inclusive, including versions of 2019, 2020, 2021 and 2022.

Original Announcement

As of Thursday 14 December 2023, AUTOSOL has been made aware of Schneider Electric EcoStruxure Geo SCADA Expert software components being flagged by Microsoft Defender XDR as malware. Specifically, “PUA:Win32/SpeedChecker”.

Example Windows Security popup quarantining ServerIcon.exe (the system tray shortcut to Geo SCADA server)

While we are still investigating, we encourage all our customers to review their security software update process and see if it’s possible to avoid updating Microsoft Defender XDR (and the security intelligence updates) on their OT networks until we receive additional guidance from Microsoft and Schneider Electric.

Version of Microsoft security intelligence which is reporting Geo SCADA software.

The consequences of the update result in the possible quarantine of the Geo SCADA Expert processes required for operation. Exclusion of the Geo SCADA install directories should mitigate this issue. However, recovery after automatic quarantining of the processes may be difficult without reinstalling Geo SCADA.

Recovery

If your system(s) were affected by this, please attempt the following:

  • Exclude the Geo SCADA install directories on the machine from Microsoft Defender’s scans. This can be done from the “Virus & threat protection settings” section of Windows settings.

  • Attempt to ‘revert’ the changes using the “Virus and threat protection” section of Windows settings.

  • Run the Geo SCADA installer and ‘repair’ the services.

More Information

The specific Security Intelligence update is documented here:https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.403.485.0

Guidance from Schneider Electric will be posted on the Schneider Electric website here:

Windows Defender update falsely detects some Geo SCADA files

Microsoft Update Testing

Please see the below links for official recommendations on anti-virus exclusions on production environments:

Geo SCADA Knowledge Base: Anti-malware Configuration

Geo SCADA 2022 Help File (article ‘Anti-virus Scan Exclusions’): https://tprojects.schneider-electric.com/GeoSCADAHelp/Geo%20SCADA%202020/Default.htm#ServerAdministrationGuide/Anti-virusScanExclusions.htm

This post will be updated as more information becomes available.

Microsoft will release its final update regarding Windows DCOM Hardening on March 14, 2023.

ACM versions 9.1 and later will automatically work with versions of Windows that have been updated with the DCOM Hardening security changes. However, ACM settings can be customized to run ACM 9.1 and later without the DCOM Hardening changes. ACM 9.1 is scheduled to be released late spring 2023.

If you have ACM 9.0.X or earlier, you can also use ACM settings to run ACM in a DCOM Hardened environment.

The instructions to do so are found here: ACM and Windows DCOM Hardening

More information from AUTOSOL about DCOM Hardening are in the post dated 31-May-2022.

Should more information be required, please contact your salesperson or AUTOSOL support.

Dear Client: We value your business and respect the privacy of your information, which is why, as a precautionary measure, we are informing you about a security vulnerability that has recently been brought to our attention.

The third-party installer package used for AUTOSOL software previously contained a security vulnerability that has since been successfully patched by the software vendor. AUTOSOL has implemented the updated patch from the vendor and produced new installers for all affected software. The new installers have been made available on the AUTOSOL SharePoint site for users to download and install.

Should more information be required, please contact your salesperson or AUTOSOL support.

A recent vulnerability (CVE-2021-26414) discovered in Windows allows for server security to be bypassed leaving the server vulnerable to malicious attack.  Microsoft has since patched the vulnerability under update KB5004442.  The update will be released in stages from June 2021 through March 2023, allowing users and vendors to add support for the update. 

  • Stage 1 – The hardening patch will be delivered through a Windows update, but it will be disabled. It can be manually enabled through a registry key.  No changes will be required at this time.

  • Stage 2 – A Windows update will be delivered which enables the patch. This will affect all computers that don’t have the patch manually disabled. With this update, the patch can still be manually disabled through the use of a registry key.  Once the Windows update is installed and the patch is enabled the server is effectively hardened and the client/server OPC software must support the necessary level of authentication.

  • Stage 3 – A Windows update will be delivered to permanently enable the patch. This will result in a completely hardened server with no ability to disable the patch outside of rolling back the update.  Both the servers and clients must be compatible with the impending changes.

Details for the stages, registry keys, and how to identify if there are existing issues can be found in the details for KB5004442.

Microsoft Timeline

Update release1

Behavior change

June 8, 2021

Hardening changes disabled by default but with the ability to enable them using a registry key.

June 14, 2022

Hardening changes enabled by default but with the ability to disable them using a registry key.

March 14, 2023

Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

1 – Release dates are subject to changed based on the article listed in KB5004442.

What is affected?

Operating systems in active support by Microsoft will receive the DCOM hardening update.  Once hardened, host machines will require an elevated method of authentication for RPC calls to function properly.  Client and server applications that communicate remotely must both support the elevated authentication methods if the host end is hardened. 

What isn’t affected?

  • Clients that are local to the OPC server will not be affected by this regardless of the patches applied. 

  • Client/server connections that utilize OPC UA are not affected.

  • Hardened client computers connecting to non-hardened application servers will not require any changes as the server end has not yet been hardened.

  • Servers running versions of Windows that are unsupported by Microsoft

    • Ex: Windows XP, Windows 7, Server 2008 and prior 

What constitutes a client?

A client is defined as any application or service that will connect to the OPC server utilizing the DCOM interface.  An example of a client connection would be an HMI connecting to an OPC server utilizing OPC DA, HDA, or OPC AE. 

Identifying the Issue

Microsoft has added additional logging to the Windows Event log to help identify applications that are experiencing issues.  These log messages are denoted in article KB5004442, but in general if a client fails to connect because of DCOM hardening then there will be messages that suggest either the  server application or client application need to raise their authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher.  Please reference the published article by Microsoft for more details on these messages.

Which AUTOSOL products are affected?

Products and software released by AUTOSOL that will be affected by these changes are listed below.  Note that all versions of the products listed below will be affected.

  • AutoSol Communication Manager (ACM)

  • AUTOSOL Bridge

  • AutoSol Enterprise Server (AES)

  • DBClient

  • AlarmManager

  • Modbus Slave

  • OPCMessenger

Which AUTOSOL products will be updated?

The table below denotes which products are under active maintenance and which ones will be updated to support the upcoming changes required KB5004442 by as a result of CVE-2021-26414. 

 

 

ACM

AUTOSOL Bridge

AES

DBClient

Alarm

Manager

MBSlave

OPC

Messenger

Active Maintenance

Y

Y

N

Y

N

N

N

Planned Update for CVE-2021-26414

Y

Y

N

Y

N

N

N

 

If the product is currently under active maintenance, then AUTOSOL will provide an update for the currently supported versions of that product.  For example, ACM version 8.0, 8.1, and 8.2 are all under active support at the time of this post.  The last hardening update from Microsoft is scheduled to be pushed out in March of 2023.  Versions listed under Active Maintenance found here, ACM Software Maintenance Policy, will receive an update that supports the changes required by the hardening process.  Per the table in the Maintenance Policy those versions would include 8.0.1 and newer.

What should I do if my product is not going to receive an update?

There are multiple factors to consider if your product is not going to receive an update.  If your product is not set to receive an update, then it is out of active maintenance and has reached its End of Life. Alternate offerings may be available from AUTOSOL for products that have reached End of Life. Contact AUTOSOL Support at autosol.support@autosoln.com, 281-286-6017, to identify the best path forward. 

What should I do if I’m currently using AES?

AutoSol Communication Manager, ACM, has been released for over 10 years and is the successor to AES.  AES has been out of support since 2010.  AUTOSOL offers a migration path to ACM if you’re currently a user of AES.  Contact AUTOSOL Support or visit Protocols Supported by AUTOSOL's Polling Engines | Native & Modbus to validate the protocols in your system are listed as those supported by ACM.  Contact your salesperson or call 281-286-6017 for more information regarding an upgrade path.

What should I do if my server is running an OS that is not currently supported by Microsoft?

No action is needed for hardening because the server will not get the hardening update. 

Note: This is not a recommended operating state and leaves your system susceptible to attack.  AUTOSOL recommends migrating to a new host with up-to-date and supported software.

How do I know if my non-AUTOSOL client application is compatible with the hardening changes?

Contact the software vendor directly for more information.  If the client application is remote to the host server and fails to function properly, look for messages regarding RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in the Windows Event log.  Consult the KB5004442 article to determine if it’s a client or server application issue and then contact the necessary parties. 

How do I get updates from AUTOSOL?

Releases for the affected products are not yet officially available, however temporary workarounds may exist depending on the software in question.  Releases for the products slated to be updated will be uploaded to our download repository once available. 

Please contact AUTOSOL support at autosol.support@autosoln.com, 281-286-6017, for additional details. 

A zero-day security vulnerability within Apache’s Log4j application could allow for remote code execution. Log4j is a Java utility which is commonly included within the installs of many Java applications. AUTOSOL software, including ACM and eACM, do not utilize Java and thus are not susceptible to this particular attack. More information regarding this incident is available here:

https://logging.apache.org/log4j/2.x/security.html

CVE Website


16055 Space Center Boulevard, Suite 450

Houston, Texas 77062

281.286.6017

All information contained herein is considered proprietary. Any unauthorized disclosure or use is prohibited.