Multiple industrial system developers are evaluating the effect of two recent OPC UA vulnerabilities on their devices, with Beckhoff, a German automation technology company, becoming the first to issue a security advisory.
Eran Jacob of OTORIO, an Israel-based company that specialises in operational technology (OT) security and digital risk management solutions, discovered two OPC UA vulnerabilities earlier this month, and the US Cybersecurity and Infrastructure Security Agency (CISA) issued advisories to describe them.
OPC UA (Unified Architecture), developed by the OPC Foundation, is a machine-to-machine communication protocol commonly used in industrial automation and other fields.
Jacob, the lead of OTORIO’s security testing team, examined OPC UA and discovered a couple of vulnerabilities with a high severity level.
One of the vulnerabilities has been assigned the number CVE-2021-27432, and it is defined as an uncontrolled recursion problem that can lead to a stack overflow. This flaw affects both the standard and legacy versions of OPC UA.NET.
The second vulnerability is CVE-2021-27434, which affects the Unified Automation.NET based OPC UA client/server SDK and is identified as a sensitive information disclosure problem.
In March, the OPC Foundation issued a patch. The vulnerability in Unified Automation software is caused by the use of vulnerable.NET application versions. CVE-2021-27434, according to CISA, is linked to a Microsoft.NET vulnerability patched in 2015. (CVE-2015-6096). Unified Automation has provided an update, according to CISA.
Multiple vendors are assessing the possible effect of these vulnerabilities on their goods, Jacob told that he has contacted them through CISA, but it appears that only Beckhoff has issued an advisory so far.
The security holes affect components of the company’s TwinCAT PLC runtime, according to the advisory, which was released on May 14.
The vulnerabilities can be exploited by an unauthenticated attacker to trigger a denial of service (DoS) condition or to acquire information by sending specially designed OPC UA packets, according to Beckhoff, whose advisory was also published by Germany’s CERT@VDE. The business called the knowledge disclosure flaw an XML external entity (XXE) flaw.
“When attacking an OPC UA server, the attacker must use a specially designed OPC UA client, and when attacking an OPC UA client, the attacker must use a specially crafted OPC UA server,” Beckhoff explained. “In order to attack a server, the attacker must be able to create a TCP link with it. In order to attack a client, the attacker must be able to link the client to the attacker’s server. In all cases, it is appropriate if the attacker lets the specially crafted application (client or server) answer with a sequence of specially crafted network packets after establishing the TCP connection.”
“If the vulnerable OPC UA server is accessible through the internet, or a vulnerable client accesses a server managed by an attacker through the internet,” Jacob said, the vulnerabilities can be exploited remotely.
“In theory, a DoS attack on an OPC UA server could disrupt connectivity between control systems, resulting in a loss of visibility and possibly control over the process,” Jacob explained. “The XXE vulnerability may also be used to perform arbitrary HTTP GET requests on behalf of the attacked server/client, or it can be used to leak confidential data from the device (for example, unprotected private keys or configuration files).”