Security Experts:

Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Industrial organizations have been informed about the existence of several potentially serious vulnerabilities affecting an OPC UA product made by Honeywell subsidiary Matrikon.

Open Platform Communications (OPC) is a communications protocol for operational technology (OT) systems and it’s widely used to ensure interoperability between various types of industrial control systems (ICS). Matrikon, which Honeywell acquired in 2010 for roughly $140 million, specializes in vendor-neutral OPC UA (Unified Architecture) and OPC-based data interoperability products for industrial control automation.

As part of their analysis of OPC UA security, researchers at industrial cybersecurity firm Claroty discovered that Matrikon’s OPC UA Tunneller product, which is designed for integrating OPC UA clients and servers with OPC Classic architecture, is affected by four critical and high-severity vulnerabilities that can be exploited for remote code execution, DoS attacks, and for obtaining potentially valuable information. Most of them can be exploited to crash a server, and some, under certain conditions, can result in remote code execution.

OPC UA vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an ICS advisory to inform industrial organizations about these vulnerabilities.

Honeywell has released an update that should patch the flaws.

“We’ve taken the appropriate actions to remedy the situation, and have issued an update to the software. We strongly recommend that our customers upgrade to version immediately,” Honeywell told SecurityWeek in an emailed statement.

The most serious of the flaws found by Claroty in Matrikon OPC UA Tunneller — based on its CVSS score of 9.8 — is a heap buffer overflow bug that can allow an attacker to remotely execute arbitrary code or cause a DoS condition. Another vulnerability, rated high severity, can be exploited to obtain information that could be useful for conducting other activities on the targeted organization’s network.

“By exploiting these vulnerabilities, attackers can control the overwritten memory space outside the targeted buffer and can redirect a function pointer to their malicious code. In other words, attackers that exploit those vulnerabilities could also achieve remote code execution and take over the OPC server,” Claroty said in a blog post published on Monday.

The company told SecurityWeek that exploitation of the vulnerabilities requires network access to the targeted OPC server or OPC tunneller (depending on the OT network architecture), but authentication is not required.

“The flaws can be exploited remotely over the network. However, usually these systems are not directly facing the internet because they are used in closed OT networks. There are some cases where asset owners decide to open these OPC-related products to the web, but that’s uncommon,” Claroty said via email.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

As part of its research into OPC security, Claroty also identified vulnerabilities in products made by industrial automation solutions providers Kepware and Softing Industrial Automation. The Kepware vulnerabilities were disclosed by CISA in December 2020, while the Softing product issues were disclosed in July 2020.

Claroty told SecurityWeek after the Kepware vulnerabilities were disclosed that they can be exploited by a remote, unauthenticated attacker with access to the OPC server for arbitrary code execution, data leakage, and DoS attacks.

The company has also pointed out that the vulnerabilities found by its researchers likely affect products from other vendors as well due to the use of third-party libraries such as one developed by Softing, and white label products made by Kepware.

“OPC is the communication hub of an OT network, centrally supporting communication between proprietary devices that otherwise could not exchange information. It’s deeply embedded in many product configurations and OPC-centered development and usage figures to continue,” Claroty said in its blog post on Monday.

“Also contributing to the expansive use of OPC is the fact that many vendors are already connecting parts of their networks that communicate using OPC to the cloud. This introduces industrial IOT devices into the equation, those that both receive and exchange device and process information,” it added.

Related: Many Vulnerabilities Found in OPC UA Industrial Protocol

Related: Industrial Systems Can Be Hacked Remotely via VPN Vulnerabilities

Related: Vulnerability in NI Controller Can Allow Hackers to Remotely Disrupt Production

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.