Summary
A number of TRUMPF software tools use the OPC UA Server in C++ based OPC UA SDK by Unified Automation. The application contains several vulnerabilities, which enable an attacker to send malicious data to the application, resulting in a Denial-of-Service.
Impact
The stated TRUMPF products are supplied with the Unified Automation OPC UA Server in versions that are known to contain a number of vulnerabilities. We can not confirm at this time whether the use of vulnerable OPC UA Server exposes our products to the risks described in the CVEs mentioned above. Nevertheless, TRUMPF offers updates for its products that contain the fixed versions provided by Unified Automation.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| MOS <6.3.2 | MOS <6.3.2 | |
| OPC UA Proxy <2.5.0 | OPC UA Proxy <2.5.0 |
Vulnerabilities
Expand / Collapse allOPC UA .NET Standard Stack 1.04.368 allows a remote attacker to cause a server to crash via a large number of messages that trigger Uncontrolled Resource Consumption.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
Remediation
Use the updated versions of the TRUMPF OPC UA server that will be available via MyTRUMPF.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 08/15/2022 12:00 | Initial revision. |