| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| TwinCAT OPC UA Client System Manager Extension included in TF6100 | < 4.3.46.0 | |
| TwinCAT OPC UA Configurator (Standalone) included in TF6100 | < 4.3.46.0 | |
| TwinCAT OPC UA Configurator (Standalone) included in TS6100 | < 4.3.46.0 | |
| TwinCAT OPC UA Configurator (Visual Studio) included in TF6100 | < 4.3.46.0 | |
| TwinCAT OPC UA Sample Client included in TF6100 | < 4.3.46.0 | |
| TwinCAT OPC UA Sample Client included in TS6100 | < 4.3.46.0 | |
| TwinCAT Scope Server in TF3300 | < 3.4.3144.11 | |
| TwinCAT Target Browser OPC UA Extension included in TF3300 | < 3.4.3144.11 | |
| TwinCAT Target Browser OPC UA Extension included in TF6100 | < 4.3.46.0 | |
| TwinCAT Target Browser OPC UA Extension included in TF6720 | < 1.1.68.0 |
The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via
the OPC UA protocol. For both cases the attacker can send packets via the OPC UA protocol without the need to
authenticate and
For both kinds of attacks the attacker needs to use a specifically crafted OPC UA client when attacking an OPC UA server respectively needs to use a specifically crafted OPC UA server when attacking an OPC UA client. For attacking a server the attacker needs to be able to establish a TCP connection to that server. For attacking a client the attacker needs to be able to make the client connect to the attacker’s server. For all cases it is sufficient if after the establishment of the TCP connection the attacker lets the specifically crafted application (client or server) respond with a sequence of specifically crafted network packets. No authentication is required by the attacker.
For the first kind of attack the specifically crafted network packets cause a stack overflow as consequence of an uncontrolled recursion when the attacked application (client or server) processes them. With the components of the product described above, this attack results in a denial of service because the components become unavailable and need to be restarted manually after the attack.
For the second kind of attack the specifically crafted network packets cause the attacked application to resolve XML entities which allows the inclusion of contents from files on disk as far as they are accessible to the attacked application. Further processing of XML entities allow the resulting XML content to be posted to an HTTP server of the attackers choice. This allows the disclosure of file content from the computer the attacked application is running on even though the attacker is not required to authenticate nor to have access to these files.
The second attack is possible only if an outdated version of a .NET Framework from Microsoft is used. For more information like vulnerable and fixed versions of the .NET Framework, please see CVE-2015-6096.
Since TCP connections are routable the attacker may perform all these kinds of exploits from remote if there is no firewall set up which limits the access for example to the TCP ports which the OPC UA application is using. The attacker does not need to have a local account at the device or OPC UA server nor is any authentication required for the attack.
Mitigation
Consider limiting access to the network communication ports of affected server products. Also consider limiting where the affected client products are allowed to connect to. For example, this can be achived with Windows’ built-in firewall by incoming rules for servers and outgoing rules for clients. Consider to minimize the ability of an attacker to hijack communication establishment from a client to a server. For example this can be achieved with the help of zones and conduits: Try to keep servers and clients within the same network zone and prevent intrusion into that zone. Try to enclose communication establishment within conduits like VPN channels (where one conduit can serve for many OPC UA connections) and prevent attackers from intruding into such channels. Consider updating the .NET Framework.
Solution
Update to a recent version of the affected product and update the .NET Framework.
Beckhoff Automation thanks CERT@VDE for coordination.
Beckhoffs advisory can be found at download.beckhoff.com.