Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Industrial organizations have been informed about the existence of several potentially serious vulnerabilities affecting an OPC UA product made by Honeywell subsidiary Matrikon.

Industrial organizations have been informed about the existence of several potentially serious vulnerabilities affecting an OPC UA product made by Honeywell subsidiary Matrikon.

Open Platform Communications (OPC) is a communications protocol for operational technology (OT) systems and it’s widely used to ensure interoperability between various types of industrial control systems (ICS). Matrikon, which Honeywell acquired in 2010 for roughly $140 million, specializes in vendor-neutral OPC UA (Unified Architecture) and OPC-based data interoperability products for industrial control automation.

As part of their analysis of OPC UA security, researchers at industrial cybersecurity firm Claroty discovered that Matrikon’s OPC UA Tunneller product, which is designed for integrating OPC UA clients and servers with OPC Classic architecture, is affected by four critical and high-severity vulnerabilities that can be exploited for remote code execution, DoS attacks, and for obtaining potentially valuable information. Most of them can be exploited to crash a server, and some, under certain conditions, can result in remote code execution.

OPC UA vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an ICS advisory to inform industrial organizations about these vulnerabilities.

Honeywell has released an update that should patch the flaws.

“We’ve taken the appropriate actions to remedy the situation, and have issued an update to the software. We strongly recommend that our customers upgrade to version 6.3.0.8233 immediately,” Honeywell told SecurityWeek in an emailed statement.

The most serious of the flaws found by Claroty in Matrikon OPC UA Tunneller — based on its CVSS score of 9.8 — is a heap buffer overflow bug that can allow an attacker to remotely execute arbitrary code or cause a DoS condition. Another vulnerability, rated high severity, can be exploited to obtain information that could be useful for conducting other activities on the targeted organization’s network.

“By exploiting these vulnerabilities, attackers can control the overwritten memory space outside the targeted buffer and can redirect a function pointer to their malicious code. In other words, attackers that exploit those vulnerabilities could also achieve remote code execution and take over the OPC server,” Claroty said in a blog post published on Monday.

Advertisement. Scroll to continue reading.

The company told SecurityWeek that exploitation of the vulnerabilities requires network access to the targeted OPC server or OPC tunneller (depending on the OT network architecture), but authentication is not required.

“The flaws can be exploited remotely over the network. However, usually these systems are not directly facing the internet because they are used in closed OT networks. There are some cases where asset owners decide to open these OPC-related products to the web, but that’s uncommon,” Claroty said via email.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

As part of its research into OPC security, Claroty also identified vulnerabilities in products made by industrial automation solutions providers Kepware and Softing Industrial Automation. The Kepware vulnerabilities were disclosed by CISA in December 2020, while the Softing product issues were disclosed in July 2020.

Claroty told SecurityWeek after the Kepware vulnerabilities were disclosed that they can be exploited by a remote, unauthenticated attacker with access to the OPC server for arbitrary code execution, data leakage, and DoS attacks.

The company has also pointed out that the vulnerabilities found by its researchers likely affect products from other vendors as well due to the use of third-party libraries such as one developed by Softing, and white label products made by Kepware.

“OPC is the communication hub of an OT network, centrally supporting communication between proprietary devices that otherwise could not exchange information. It’s deeply embedded in many product configurations and OPC-centered development and usage figures to continue,” Claroty said in its blog post on Monday.

“Also contributing to the expansive use of OPC is the fact that many vendors are already connecting parts of their networks that communicate using OPC to the cloud. This introduces industrial IOT devices into the equation, those that both receive and exchange device and process information,” it added.

Related: Many Vulnerabilities Found in OPC UA Industrial Protocol

Related: Industrial Systems Can Be Hacked Remotely via VPN Vulnerabilities

Related: Vulnerability in NI Controller Can Allow Hackers to Remotely Disrupt Production

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.