Share: Email | Twitter

ID

VDE-2022-003

Published

2022-03-01 13:34 (CET)

Last update

2022-03-01 13:35 (CET)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
EK9160 (TcOpcUaServer) < 3.2.0.239
IPC Diagnostic UA Server on windows images (MDP UA Server) < 3.1.0.8
TF2110 (Setup) < 1.12.754.0
TF6100-OPC-UA-Client (TcOpcUaClient) < 2.2.9.1
TF6100-OPC-UA-Gateway (TcOpcUaGateway) < 1.5.8.454
TF6100-OPC-UA-Server (TcOpcUaServer) < 3.2.0.240
TS6100-0030-OPC-UA (TcOpcUaClient) < 2.2.9.1
TS6100-0030-OPC-UA (TcOpcUaGateway) < 1.5.8.454
TS6100-0030-OPC-UA (TcOpcUaServer) < 3.2.0.240
TS6100-OPC-UA (TcOpcUaClient) < 2.2.9.1
TS6100-OPC-UA (TcOpcUaGateway) < 1.5.8.454
TS6100-OPC-UA (TcOpcUaServer) < 3.2.0.240

Summary

By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.


Last Update:

Nov. 17, 2022, 1:09 p.m.

Weakness

NULL Pointer Dereference  (CWE-476) 

Summary

The OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases. This can lead to a NULL pointer dereference.

Impact

A crash of the OPC UA server components can be provoked.



Impact

The mentioned products can be used as clients which contact an OPC UA server. If such connection is made with SecurityMode=None for the connection then the client can receive a malformed message during the conversation which provokes a null pointer dereference within the OPC UA stack of the product. The product crashes then by memory access violation. Though this is uncommon and not recommended, such connections with SecurityMode=None may even be used by OPC UA Servers, for example if they act as client to register at a Discovery Server.

Solution

Mitigation

Have your applications configured to use other than SecurityMode=None for all OPC UA connections. Avoid that these connect to an unknown OPC UA server with SecurityMode=None. In particular, avoid that your applications connect to servers which they discover via mDNS, a Local Discovery Server (LDS), an untrusted Global Discovery Server (GDS) or even trusted GDS using SecurityMode=none. Especially in the latter case an adversary might be able to apply the “man in the middle” pattern to attack the connection and inject a bad message which triggers the vulnerability.

Solution

Please update to a recent version of the affected product.

Reported by

Beckhoff Automation thanks the OPC Foundation and Unified Automation for reporting the issue and for support
and efforts with the coordinated disclosure. Also Beckhoff Automation thanks CERT@VDE for coordination.