Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server

Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.

The OPC UA server called 'TcOpcUaServer' provides specific nodes within a specifc namespace which allow to configure features of that OPC UA server. By accessing some of these nodes an OPC UA client can create and delete configuration files for these features on behalf of the administrator of the 'TcOpcUaServer'. For these files dedicated directories are used on the file system of the computer where the 'TcOpcUaServer' is running. Affected versions were missing specific sanity checks for the file names used and an attacker could add relative paths to the file names to create and delete files outside of the dedicated directories.

The specific nodes reside within the OPC UA namespace which is identified by the following namespace URI:

beckhoff.com/TwinCAT/TF6100/Server/Co...
With the default configuration the dedicated directories are the following on the system partition of the system where 'TcOpcUAServer' is running:

TwinCAT\Functions\TF6100-OPC-UA\Server\res
TwinCAT\Functions\TF6100-OPC-UA\Server\xmlnodesets
TwinCAT\Functions\TF6100-OPC-UA\Server\symbolfiles
Please note that the default installation of the 'TcOpcUAServer' does allow anonymous access even to the administrative nodes within the namespace described above. However, Beckhoff recommends to restrict access with the help of the various security features of the 'TcOpcUaServer' as described with "Configuring security settings - Beckhoff Information System external link" . This is why operating the 'TcOpcUAServer' with allowing anonymous access to the administrative nodes is not considered the intended use here.

Consider restricting access to the nodes of the 'TcOpcUAServer' with the methods described by infosys.beckhoff.com/content/1033/tco... such that the administrative interface can only be accessed by administrative users of well known OPC UA clients.

Please update to a recent version of the affected product.