Zurück zur Übersicht

BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology

VDE-2022-003
Last update
05.06.2025 15:28
Published at
01.03.2022 13:34
Vendor(s)
Beckhoff Automation GmbH & Co. KG
External ID
VDE-2022-003
CSAF Document
Download

Summary

By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.

Impact

The mentioned products can be used as clients which contact an OPC UA server. If such connection is made with SecurityMode=None for the connection then the client can receive a malformed message during the conversation which provokes a null pointer dereference within the OPC UA stack of the product. The product crashes then by memory access violation. Though this is uncommon and not recommended, such connections with SecurityMode=None may even be used by OPC UA Servers, for example if they act as client to register at a Discovery Server.

Affected Product(s)

Model no. Product name Affected versions
EK9160 (TcOpcUaServer) <3.2.0.239 EK9160 (TcOpcUaServer) <3.2.0.239
IPC Diagnostic UA Server on windows images (MDP UA Server) <3.1.0.8 IPC Diagnostic UA Server on windows images (MDP UA Server) <3.1.0.8
TF2110 (Setup) <1.12.754.0 TF2110 (Setup) <1.12.754.0
TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1 TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1
TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454 TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454
TF6100-OPC-UA-Server (TcOpcUaServer) <3.2.0.240 TF6100-OPC-UA-Server (TcOpcUaServer) <3.2.0.240
TS6100-0030-OPC-UA (TcOpcUaClient) <2.2.9.1 TS6100-0030-OPC-UA (TcOpcUaClient) <2.2.9.1
TS6100-0030-OPC-UA (TcOpcUaGateway) <1.5.8.454 TS6100-0030-OPC-UA (TcOpcUaGateway) <1.5.8.454
TS6100-0030-OPC-UA (TcOpcUaServer) <3.2.0.240 TS6100-0030-OPC-UA (TcOpcUaServer) <3.2.0.240
TS6100-OPC-UA (TcOpcUaClient) <2.2.9.1 TS6100-OPC-UA (TcOpcUaClient) <2.2.9.1
TS6100-OPC-UA (TcOpcUaGateway) <1.5.8.454 TS6100-OPC-UA (TcOpcUaGateway) <1.5.8.454
TS6100-OPC-UA (TcOpcUaServer) <3.2.0.240 TS6100-OPC-UA (TcOpcUaServer) <3.2.0.240

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness
NULL Pointer Dereference (CWE-476)
Summary

The OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases. This can lead to a NULL pointer dereference.

References
cve.org | nvd.nist.gov

Mitigation

Have your applications configured to use other than SecurityMode=None for all OPC UA connections. Avoid that these connect to an unknown OPC UA server with SecurityMode=None. In particular, avoid that your applications connect to servers which they discover via mDNS, a Local Discovery Server (LDS), an untrusted Global Discovery Server (GDS) or even trusted GDS using SecurityMode=none. Especially in the latter case an adversary might be able to apply the 'man in the middle' pattern to attack the connection and inject a bad message which triggers the vulnerability.

Remediation

Please update to a recent version of the affected product.

Revision History

Version Date Summary
1 01.03.2022 13:34 Initial revision.
2 05.06.2025 15:28 Fix: quotation mark