04 March 2021

More critical vulnerabilities identified in OPC protocol implementations

In 2020, a team of researchers from Claroty analyzed products by several vendors that use Open Platform Communications protocols (OPC DA, AE, HDA, XML DA, DX и OPC UA). These protocols are used as third-party solutions by many large industrial automation system vendors, such as Rockwell Automation and GE. The results of the analysis were disappointing: solutions based on these libraries are affected by numerous vulnerabilities, which could lead to equipment failure, remote code execution and leaks of critical data.

According to Claroty, three software component vendors, Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell, have released updates for their implementations of OPC functions, fixing stack and heap buffer overflow, use-after-free, improper exception handling, and uncontrolled resource consumption vulnerabilities.

1. Softing Industrial Automation GmbH

Softing Industrial Automation GmbH is a supplier of monitoring and diagnostic solutions for communication networks. The OPC Software Platform by Softing Industrial Automation is a solution that provides interoperability between OPC UA and OPC Classic, as well as implementing cloud connectivity. The integrated OPC UA Server provides access to data from PLCs manufactured by Siemens, Rockwell Automation, B&R Industrial Automation, Mitsubishi, and other PLCs that communicate via the Modbus protocol.

The vulnerabilities identified do not require any special technical skills to exploit. They affect all Softing versions prior to 4.47.0.

The first vulnerability (CVE-2020-14524) was identified in the OPC DA XML library of the Softing HTTP SOAP server. The web server does not limit header lengths and does not sanitize the values of SOAP headers. Using SOAP headers that are too large can eventually result in overconsumption of heap memory resources. Since the web server does not check the return code of the memory allocation, the data will be written to uninitialized memory, causing the web server to crash. This is a critical vulnerability with a CVSS v3.1 base score of 9.8.

The second vulnerability (CVE-2020-14522) is a flaw that enables an invalid value to be used with certain parameters, creating an infinite memory allocation loop and ultimately causing high memory consumption resulting in denial-of-service conditions.

2. Kepware PTC

Kepware develops industrial connectivity software for enterprises in manufacturing, oil & gas, power & utilities, building automation, and other industries. Kepware solutions are used in SCADA systems, providing connectivity with Allen Bradley, AutomationDirect, BACnet, DNP 3.0, GE, Honeywell, Mitsubishi, Modicon, Omron, Siemens, Texas Instruments, Yokogawa and other industrial devices.

The following versions are vulnerable:

  • KEPServerEX v6.0 – v6.9;
  • ThingWorx Kepware Server v6.8 – v6.9;
  • ThingWorx Industrial Connectivity – all versions;
  • ThingWorx OPC-Aggregator – all versions.

A stack-based buffer overflow vulnerability (CVE-2020-27265) was identified in the ThingWorx Edge Server, which can be exploited remotely by unauthenticated attackers. A flaw in the logic for decoding OPC strings enables strings longer than 1024 bytes to be copied without allocating additional memory. By exploiting this vulnerability, attackers could overwrite data in the stack after the first 1024 bytes and cause the server to crash or, potentially, execute malicious code (a CVSS v.3.1 base score of 9.8 has been calculated for this vulnerability).

Another vulnerability (CVE-2020-27263) was also found in the OPC string decoding flow. The flaw, which could lead to an information leak and the server’s crash due to a heap out-of-bounds read, affects both Windows and Linux versions of the ThingWorx Edge Server (CVSS v. 3.1 base score 9.1).

A use-after-free vulnerability (CVE-2020-27267), which exists in the Kepware KEPServerEX Edge Server, could be exploited by unauthenticated attackers to cause a race condition, which in turn leads to a use-after-free condition when the program attempts to use the freed connection object after the connection has been closed, causing the server to crash (CVSS v. 3.1 base score 9.1).

3. Matrikon Honeywell OPC UA Tunneler

Matrikon supplies industrial automation software solutions to ABB, Honeywell, GE, IBM, Oracle, Rockwell Automation, Schneider Electric, Shell, Siemens, Wonderware, and other vendors. The Matrikon OPC UA Tunneller enables client applications with OPC UA support to communicate not only with OPC UA servers, but also with the OPC Classic Server and clients.

All Matrikon OPC UA Tunneller versions prior to are vulnerable.

Multiple vulnerabilities were found in Matrikon OPC UA Tunneller components, including a critical heap overflow flaw (CVE-2020-27297, CVSS v. 3.1 base score 9.8) and a memory leak due to a heap out of bounds read (CVE-2020-27299).

If exploited, these vulnerabilities could enable attackers to cause server denial-of service conditions or to control a memory space outside the targeted buffer and execute arbitrary code. In other words, attackers could gain control of the OPC server and use it to move laterally.

Vendors of industrial automation systems that use the software components mentioned above recommend a standard set of mitigation measures: updating the software, ensuring that devices operate in an isolated network segment behind a firewall, using VPN if remote access is required, etc.

Earlier, Kaspersky ICS CERT released an OPC UA security analysis, in which it reported 17 vulnerabilities (all of which had been closed by the time of publication).

It can be concluded from the character of the vulnerabilities identified by Claroty that the issue of quality control with respect to code in OPC protocol stack functions has remained relevant since the Kaspersky ICS CERT report was published.

Claroty researchers have published a detailed report on the findings of their OPC vulnerability research.

Source: Claroty