| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| TwinCAT OPC UA Server in TF6100 < 4.3.48.0 | < 3.2.0.194 | |
| TwinCAT OPC UA Server in TS6100 < 4.3.48.0 | < 3.2.0.194 |
Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.
TwinCAT OPC UA Server in TF6100 and TS6100 in product versions before 4.3.48.0 or with TcOpcUaServer versions below 3.2.0.194 are prone to a relative path traversal that allow administrators to create or delete any files on the system.
The OPC UA server called “TcOpcUaServer” provides specific nodes within a specifc namespace which allow to configure features of that OPC UA server. By accessing some of these nodes an OPC UA client can create and delete configuration files for these features on behalf of the administrator of the “TcOpcUaServer”. For these files dedicated directories are used on the file system of the computer where the “TcOpcUaServer” is running. Affected versions were missing specific sanity checks for the file names used and an attacker could add relative paths to the file names to create and delete files outside of the dedicated directories.
The specific nodes reside within the OPC UA namespace which is identified by the following namespace URI:
http://beckhoff.com/TwinCAT/TF6100/Server/Configuration
With the default configuration the dedicated directories are the following on the system partition of the system where “TcOpcUAServer” is running:
Please note that the default installation of the “TcOpcUAServer” does allow anonymous access even to the administrative nodes within the namespace described above. However, Beckhoff recommends to restrict access with the help of the various security features of the “TcOpcUaServer” as described with "Configuring security settings - Beckhoff Information System" . This is why operating the “TcOpcUAServer” with allowing anonymous access to the administrative nodes is not considered the intended use here.
Mitigation
Consider restricting access to the nodes of the “TcOpcUAServer” with the methods described by "Configuring security settings - Beckhoff Information System" such that the administrative interface can only be accessed by administrative users of well known OPC UA clients.
Solution
Please update to a recent version of the affected product.
Beckhoff Automation thanks Johannes Olegård, Emre Süren, and Robert Lagerström for reporting the issue and for support and efforts with the coordinated disclosure. Also Beckhoff Automation thanks CERT@VDE for coordination.
The Beckhoff Advisory can be found at https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2021-003.pdf