Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Details Disclosed for OPC UA Vulnerabilities Exploited at ICS Hacking Competition

Software development and security solutions provider JFrog has disclosed the details of several vulnerabilities affecting the OPC UA protocol, including flaws exploited by its employees at a hacking competition earlier this year.

Software development and security solutions provider JFrog has disclosed the details of several vulnerabilities affecting the OPC UA protocol, including flaws exploited by its employees at a hacking competition earlier this year.

OPC UA (Open Platform Communications United Architecture) is a machine-to-machine communication protocol that is used by many industrial solutions providers to ensure interoperability between various types of industrial control systems (ICS).

JFrog’s researchers discovered several vulnerabilities in OPC UA and disclosed some of them at the Pwn2Own Miami 2022 competition in April, where participants earned a total of $400,000 for hacking ICS.

In the OPC UA server category at Pwn2Own, the maximum prize was $40,000, for bypassing a trusted application check, and participants could earn $20,000 for remote code execution flaws.

The JFrog researchers earned $5,000 for each of two denial-of-service (DoS) exploits targeting the OPC UA .NET Standard server, an open source server used by hundreds of other repositories on GitHub, and the Unified Automation OPC UA C++ demo server.

The two vulnerabilities presented at Pwn2Own can be used to crash the OPC UA server. DoS flaws can have a significant impact in the case of ICS as they can lead to the disruption of critical processes.

JFrog disclosed its findings in a blog post published last week.

In addition, JFrog researchers reported eight other vulnerabilities to Unified Automation. The issues were found in the Unified Automation C++-based OPC UA Server SDK and they were fixed with the release of version 1.7.7 of the SDK.

Learn More About Vulnerabilities in Industrial Products at 

SecurityWeek’s ICS Cyber Security Conference

Two of these vulnerabilities can allow an attacker with elevated privileges to achieve remote code execution on the server. These security holes did not qualify for Pwn2Own due to time and stability constraints, but their details were disclosed last week in a separate blog post by JFrog.

The remote code execution exploits are not stable, but the researchers believe they can be improved.

The technical details disclosed by JFrog could be useful to other researchers who want to analyze the security of the OPC UA industrial stack.

Related: Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Related: Many Vulnerabilities Found in OPC UA Industrial Protocol

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.