|Article No°||Product Name||Affected Version(s)|
|-||OPC UA Proxy||< 2.5.0|
A number of TRUMPF software tools use the OPC UA Server in C++ based OPC UA SDK by Unified Automation. The application contains several vulnerabilities, which enable an attacker to send malicious data to the application, resulting in a Denial-of-Service.
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to cause a server to crash via a large number of messages that trigger Uncontrolled Resource Consumption.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
The stated TRUMPF products are supplied with the Unified Automation OPC UA Server in versions that are known to contain a number of vulnerabilities. We can not confirm at this time whether the use of vulnerable OPC UA Server exposes our products to the risks described in the CVEs mentioned above. Nevertheless, TRUMPF offers updates for its products that contain the fixed versions provided by Unified Automation.
Use the updated versions of the TRUMPF OPC UA server that will be available via MyTRUMPF (link).
CERT@VDE coordinated with Trumpf