Share: Email | Twitter

ID

VDE-2021-008

Published

2021-05-19 11:04 (CEST)

Last update

2021-07-07 11:05 (CEST)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Component Included in product Affected versions
TwinCAT Scope Server TF3300 < TF3300 3.4.3144.11
TwinCAT OPC UA Configurator (Standalone) TS6100 < TS6100 4.3.46.0
TF6100 < TF6100 4.3.46.0
TwinCAT OPC UA Configurator (Visual Studio) TF6100 < TF6100 4.3.46.0
TwinCAT Target Browser OPC UA Extension TF6100 < TF6100 4.3.46.0
TF6720 < TF6720 1.1.68.0
TF3300 < TF3300 3.4.3144.11
TwinCAT OPC UA Client System Manager Extension TF6100 < TF6100 4.3.46.0
TwinCAT OPC UA Sample Client TS6100 < TS6100 4.3.46.0
TF6100 < TF6100 4.3.46.0

Summary

The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via
the OPC UA protocol. For both cases the attacker can send packets via the OPC UA protocol without the need to
authenticate and

  1. provoke a stack overflow resulting in denial of service of the product or
  2. make the product disclose information to the attacker without authorization.

Vulnerabilities



Weakness
Uncontrolled Recursion ( CWE-674 )
Summary
OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.
Weakness
Exposure of Sensitive Information to an Unauthorized Actor ( CWE-200 )
Summary
Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which ...

Impact

For both kinds of attacks the attacker needs to use a specifically crafted OPC UA client when attacking an OPC UA server respectively needs to use a specifically crafted OPC UA server when attacking an OPC UA client. For attacking a server the attacker needs to be able to establish a TCP connection to that server. For attacking a client the attacker needs to be able to make the client connect to the attacker’s server. For all cases it is sufficient if after the establishment of the TCP connection the attacker lets the specifically crafted application (client or server) respond with a sequence of specifically crafted network packets. No authentication is required by the attacker.

For the first kind of attack the specifically crafted network packets cause a stack overflow as consequence of an uncontrolled recursion when the attacked application (client or server) processes them. With the components of the product described above, this attack results in a denial of service because the components become unavailable and need to be restarted manually after the attack.

For the second kind of attack the specifically crafted network packets cause the attacked application to resolve XML entities which allows the inclusion of contents from files on disk as far as they are accessible to the attacked application. Further processing of XML entities allow the resulting XML content to be posted to an HTTP server of the attackers choice. This allows the disclosure of file content from the computer the attacked application is running on even though the attacker is not required to authenticate nor to have access to these files.

The second attack is possible only if an outdated version of a .NET Framework from Microsoft is used. For more information like vulnerable and fixed versions of the .NET Framework, please see CVE-2015-6096.

Since TCP connections are routable the attacker may perform all these kinds of exploits from remote if there is no firewall set up which limits the access for example to the TCP ports which the OPC UA application is using. The attacker does not need to have a local account at the device or OPC UA server nor is any authentication required for the attack.

Solution

Mitigation

Consider limiting access to the network communication ports of affected server products. Also consider limiting where the affected client products are allowed to connect to. For example, this can be achived with Windows’ built-in firewall by incoming rules for servers and outgoing rules for clients. Consider to minimize the ability of an attacker to hijack communication establishment from a client to a server. For example this can be achieved with the help of zones and conduits: Try to keep servers and clients within the same network zone and prevent intrusion into that zone. Try to enclose communication establishment within conduits like VPN channels (where one conduit can serve for many OPC UA connections) and prevent attackers from intruding into such channels. Consider updating the .NET Framework.

Solution

Update to a recent version of the affected product and update the .NET Framework.

Reported by

Beckhoff Automation thanks CERT@VDE for coordination.

Beckhoffs advisory can be found at download.beckhoff.com.