Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Multiple companies that develop industrial systems are assessing the impact of two new OPC UA vulnerabilities on their products, and German automation technology firm Beckhoff is the first to release a security advisory.

Multiple companies that develop industrial systems are assessing the impact of two new OPC UA vulnerabilities on their products, and German automation technology firm Beckhoff is the first to release a security advisory.

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released advisories to describe two OPC UA vulnerabilities discovered by Eran Jacob of OTORIO, an Israel-based company that specializes in operational technology (OT) security and digital risk management solutions.

Developed by the OPC Foundation, OPC UA (Unified Architecture) is a machine-to-machine communication protocol that is widely used in industrial automation and other fields.

Jacob, who is the security research team lead at OTORIO, analyzed OPC UA and uncovered a couple of vulnerabilities that have been assigned a high severity rating.New OPC UA vulnerabilities affect the products of ICS vendors

One of the flaws is tracked as CVE-2021-27432 and it has been described as an uncontrolled recursion issue that can be exploited to trigger a stack overflow. This vulnerability has been found to impact OPC UA .NET Standard and Legacy.

The second vulnerability is CVE-2021-27434, which has been described as a sensitive information disclosure issue that impacts the Unified Automation .NET based OPC UA client/server SDK.

The OPC Foundation released a patch in March. The flaw affecting Unified Automation software is related to the use of vulnerable versions of the .NET framework. According to CISA, CVE-2021-27434 is related to a .NET vulnerability patched by Microsoft in 2015 (CVE-2015-6096). CISA said Unified Automation has addressed the issue with an update.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

Jacob told SecurityWeek that multiple vendors are assessing the potential impact of these vulnerabilities on their products — he has notified them through CISA — but it seems that so far only Beckhoff has released an advisory.

Advertisement. Scroll to continue reading.

In the advisory, published on May 14, the company said components of its TwinCAT PLC runtime are impacted by the security holes.

Beckhoff, whose advisory was also published by Germany’s CERT@VDE, said the vulnerabilities can be exploited by an unauthenticated attacker to cause a denial of service (DoS) condition or to obtain information by sending specially crafted OPC UA packets. The information disclosure issue was described by the company as an XML external entity (XXE) flaw.

“For both kinds of attacks the attacker needs to use a specifically crafted OPC UA client when attacking an OPC UA server, respectively needs to use a specifically crafted OPC UA server when attacking an OPC UA client,” Beckhoff explained. “For attacking a server the attacker needs to be able to establish a TCP connection to that server. For attacking a client the attacker needs to be able to make the client connect to the attacker’s server. For all cases it is sufficient if after the establishment of the TCP connection the attacker lets the specifically crafted application (client or server) respond with a sequence of specifically crafted network packets.”

Jacob said it’s possible to exploit the vulnerabilities remotely from the internet “if the vulnerable OPC UA server is accessible through the internet, or a vulnerable client accesses a server controlled by an attacker through the internet.”

“Theoretically, an attacker performing DoS to an OPC UA server may impact connectivity between control systems, which can result in loss of visibility and possibly loss of control on the process,” Jacob explained. “Also, theoretically, the XXE vulnerability may allow leaking of sensitive files from the system (for example – unprotected private keys or configuration files), or it can be used to perform arbitrary HTTP GET requests on behalf of the attacked server/client.”

Related: Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Related: Many Vulnerabilities Found in OPC UA Industrial Protocol

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.