Summary
By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.
Impact
The mentioned products can be used as clients which contact an OPC UA server. If such connection is made with SecurityMode=None for the connection then the client can receive a malformed message during the conversation which provokes a null pointer dereference within the OPC UA stack of the product. The product crashes then by memory access violation. Though this is uncommon and not recommended, such connections with SecurityMode=None may even be used by OPC UA Servers, for example if they act as client to register at a Discovery Server.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| EK9160 (TcOpcUaServer) <3.2.0.239 | EK9160 (TcOpcUaServer) <3.2.0.239 | |
| IPC Diagnostic UA Server on windows images (MDP UA Server) <3.1.0.8 | IPC Diagnostic UA Server on windows images (MDP UA Server) <3.1.0.8 | |
| TF2110 (Setup) <1.12.754.0 | TF2110 (Setup) <1.12.754.0 | |
| TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1 | TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1 | |
| TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454 | TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454 | |
| TF6100-OPC-UA-Server (TcOpcUaServer) <3.2.0.240 | TF6100-OPC-UA-Server (TcOpcUaServer) <3.2.0.240 | |
| TS6100-0030-OPC-UA (TcOpcUaClient) <2.2.9.1 | TS6100-0030-OPC-UA (TcOpcUaClient) <2.2.9.1 | |
| TS6100-0030-OPC-UA (TcOpcUaGateway) <1.5.8.454 | TS6100-0030-OPC-UA (TcOpcUaGateway) <1.5.8.454 | |
| TS6100-0030-OPC-UA (TcOpcUaServer) <3.2.0.240 | TS6100-0030-OPC-UA (TcOpcUaServer) <3.2.0.240 | |
| TS6100-OPC-UA (TcOpcUaClient) <2.2.9.1 | TS6100-OPC-UA (TcOpcUaClient) <2.2.9.1 | |
| TS6100-OPC-UA (TcOpcUaGateway) <1.5.8.454 | TS6100-OPC-UA (TcOpcUaGateway) <1.5.8.454 | |
| TS6100-OPC-UA (TcOpcUaServer) <3.2.0.240 | TS6100-OPC-UA (TcOpcUaServer) <3.2.0.240 |
Vulnerabilities
Expand / Collapse allThe OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases. This can lead to a NULL pointer dereference.
Mitigation
Have your applications configured to use other than SecurityMode=None for all OPC UA connections. Avoid that these connect to an unknown OPC UA server with SecurityMode=None. In particular, avoid that your applications connect to servers which they discover via mDNS, a Local Discovery Server (LDS), an untrusted Global Discovery Server (GDS) or even trusted GDS using SecurityMode=none. Especially in the latter case an adversary might be able to apply the 'man in the middle' pattern to attack the connection and inject a bad message which triggers the vulnerability.
Remediation
Please update to a recent version of the affected product.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 03/01/2022 13:34 | Initial revision. |
| 2 | 06/05/2025 15:28 | Fix: quotation mark |