22 May 2018

OPC Foundation Consortium comments on Kaspersky Lab’s OPC UA security analysis report

The Kaspersky Lab report released on May 10, 2018 has attracted considerable media attention due to the claim of having identified 17 security issues in OPC Foundation products and commercial applications that use them. Information on all vulnerabilities identified in the course of the research was immediately provided to the developers of the vulnerable software.

The OPC Foundation consortium has thoroughly analyzed the report and published its official comments and clarifications. According to the OPC Foundations’s official response, of the 17 vulnerabilities discussed in the report:

  1. Eight vulnerabilities were associated with a sample server application, which used the UA ANSI C Stack that was provided in the OPC Foundation’s open-source code repository on GitHub. These issues did not affect the ANSI C Stack itself or products based on commercial SDKs. Nevertheless, all issues have been fixed.
  2. Six vulnerabilities were associated with the OPC server enumerator component (Local Discovery Services). These vulnerabilities were identified and fixed in 2017 and the relevant information was published (CVE-2017-12069). The OPC Foundation also mentions that the vulnerabilities could not be exploited remotely.
  3. Three vulnerabilities affected individual commercial products by different vendors:
  • Information on one of the vulnerabilities was disclosed in 2016.
  • The vendor is currently working on a fix for the second vulnerability.
  • The third vulnerability affected a legacy .NET stack. It was quickly fixed by the OPC Foundation in 2017 and OPC users were notified of the issue in a timely manner.

The OPC Foundation consortium’s statement also emphasizes that OPC UA software is based on solutions by several commercial OPC UA SDK/Toolkit vendors and most of these products are not affected by vulnerabilities in the ANSI C sample server application published on GitHub. In addition, the OPC Foundation collaborates with vendors to have open-source code base tested by external organizations and have the results published on GitHub.

Source: OPC Foundation