Critical Flaws in Kepware Products Can Facilitate Attacks on Industrial Firms

Several critical vulnerabilities have been found by researchers in products from PTC-owned industrial automation solutions provider Kepware.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published two advisories describing vulnerabilities identified in Kepware products.

One of the advisories covers three flaws discovered by researchers at industrial cybersecurity firm Claroty. The security holes, two rated critical and one high severity, are described as a stack-based buffer overflow, a heap-based buffer overflow, and a use-after-free bug.

The critical vulnerabilities can be exploited to crash the server, leak data, and remotely execute arbitrary code by opening a specially crafted OPC UA message. The high-severity bug can allow an attacker to crash the server by creating and closing OPC UA connections at a high rate, CISA said in its advisory.

“The vulnerabilities were located in the KEPServerEX, ThingWorx Kepware and OPC-Aggregator OPC products,” Uri Katz, senior researcher at Claroty, told SecurityWeek. “In order to exploit these vulnerabilities, attackers would need to have network access to the OPC server. OPC servers are a central part in many OT networks, which makes them a lucrative target for attackers.”

Katz added, “In our research we were able to show that these vulnerabilities can be exploited remotely without any authentication needed and that successful exploitation of these vulnerabilities could lead to a server crashing, a denial-of-service condition, data leakage, or remote code execution.”

CISA noted that products from Rockwell Automation, GE Digital and Software Toolbox also use a vulnerable component, and advised the customers of these companies to check if their products are affected and apply available patches. Advisories released by Rockwell, GE and Software Toolbox only mention crashes (DoS) and data leaks in terms of impact. However, DoS attacks can have serious consequences in the case of industrial control systems (ICS).

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The second advisory released last week by CISA describes one critical vulnerability found by a Cisco Talos researcher in Kepware LinkMaster, which is designed for exchanging data between OPC DA servers.

The vulnerability was found in the product’s default configuration and it allows a local attacker to execute arbitrary code with SYSTEM privileges. Talos published an advisory for this flaw on December 16, one day before CISA released its advisories.

“The vulnerabilities were raised and addressed through PTC’s Coordinated Vulnerability Disclosure (CVD) program – an important piece of our product security strategy. We appreciate our partnership with security research firms like Claroty and Cisco Talos and their willingness to work with PTC through the CVD program. Working with CISA provides a vehicle for the disclosure of vulnerabilities in a responsible way,” PTC said in an emailed statement.

Related: Flaws in PcVue SCADA Product Can Facilitate Attacks on Industrial Organizations

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs