Share: Email | Twitter

ID

VDE-2021-051

Published

2021-11-04 07:00 (CET)

Last update

2021-11-04 07:00 (CET)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
TwinCAT OPC UA Server in TF6100 < 4.3.48.0 < 3.2.0.194
TwinCAT OPC UA Server in TS6100 < 4.3.48.0 < 3.2.0.194

Summary

Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.


Weakness

Relative Path Traversal  (CWE-23) 

Summary

TwinCAT OPC UA Server in TF6100 and TS6100 in product versions before 4.3.48.0 or with TcOpcUaServer versions below 3.2.0.194 are prone to a relative path traversal that allow administrators to create or delete any files on the system.


Impact

The OPC UA server called “TcOpcUaServer” provides specific nodes within a specifc namespace which allow to configure features of that OPC UA server. By accessing some of these nodes an OPC UA client can create and delete configuration files for these features on behalf of the administrator of the “TcOpcUaServer”. For these files dedicated directories are used on the file system of the computer where the “TcOpcUaServer” is running. Affected versions were missing specific sanity checks for the file names used and an attacker could add relative paths to the file names to create and delete files outside of the dedicated directories.

The specific nodes reside within the OPC UA namespace which is identified by the following namespace URI:

http://beckhoff.com/TwinCAT/TF6100/Server/Configuration

With the default configuration the dedicated directories are the following on the system partition of the system where “TcOpcUAServer” is running:

  • TwinCAT\Functions\TF6100-OPC-UA\Server\res
  • TwinCAT\Functions\TF6100-OPC-UA\Server\xmlnodesets
  • TwinCAT\Functions\TF6100-OPC-UA\Server\symbolfiles

Please note that the default installation of the “TcOpcUAServer” does allow anonymous access even to the administrative nodes within the namespace described above. However, Beckhoff recommends to restrict access with the help of the various security features of the “TcOpcUaServer” as described with "Configuring security settings - Beckhoff Information System" . This is why operating the “TcOpcUAServer” with allowing anonymous access to the administrative nodes is not considered the intended use here.

Solution

Mitigation

Consider restricting access to the nodes of the “TcOpcUAServer” with the methods described by "Configuring security settings - Beckhoff Information System" such that the administrative interface can only be accessed by administrative users of well known OPC UA clients.

Solution

Please update to a recent version of the affected product.

Reported by

Beckhoff Automation thanks Johannes Olegård, Emre Süren, and Robert Lagerström for reporting the issue and for support and efforts with the coordinated disclosure. Also Beckhoff Automation thanks CERT@VDE for coordination. 
The Beckhoff Advisory can be found at https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2021-003.pdf