|Article No°||Product Name||Affected Version(s)|
|EK9160 (TcOpcUaServer)||< 220.127.116.11|
|IPC Diagnostic UA Server on windows images (MDP UA Server)||< 18.104.22.168|
|TF2110 (Setup)||< 1.12.754.0|
|TF6100-OPC-UA-Client (TcOpcUaClient)||< 22.214.171.124|
|TF6100-OPC-UA-Gateway (TcOpcUaGateway)||< 126.96.36.1994|
|TF6100-OPC-UA-Server (TcOpcUaServer)||< 188.8.131.52|
|TS6100-0030-OPC-UA (TcOpcUaClient)||< 184.108.40.206|
|TS6100-0030-OPC-UA (TcOpcUaGateway)||< 220.127.116.114|
|TS6100-0030-OPC-UA (TcOpcUaServer)||< 18.104.22.168|
|TS6100-OPC-UA (TcOpcUaClient)||< 22.214.171.124|
|TS6100-OPC-UA (TcOpcUaGateway)||< 126.96.36.1994|
|TS6100-OPC-UA (TcOpcUaServer)||< 188.8.131.52|
By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.
Null Pointer Dereference vulnerability in OPC UA products
A crash of the OPC UA server components can be provoked.
The mentioned products can be used as clients which contact an OPC UA server. If such connection is made with SecurityMode=None for the connection then the client can receive a malformed message during the conversation which provokes a null pointer dereference within the OPC UA stack of the product. The product crashes then by memory access violation. Though this is uncommon and not recommended, such connections with SecurityMode=None may even be used by OPC UA Servers, for example if they act as client to register at a Discovery Server.
Have your applications configured to use other than SecurityMode=None for all OPC UA connections. Avoid that these connect to an unknown OPC UA server with SecurityMode=None. In particular, avoid that your applications connect to servers which they discover via mDNS, a Local Discovery Server (LDS), an untrusted Global Discovery Server (GDS) or even trusted GDS using SecurityMode=none. Especially in the latter case an adversary might be able to apply the “man in the middle” pattern to attack the connection and inject a bad message which triggers the vulnerability.
Please update to a recent version of the affected product.
Beckhoff Automation thanks the OPC Foundation and Unified Automation for reporting the issue and for support
and efforts with the coordinated disclosure. Also Beckhoff Automation thanks CERT@VDE for coordination.