Critical flaws found in three vendors' OPC implementations

The Open Platform Communications (OPC) network protocol is the middleman of operational technology (OT) networks, which ensures operability between industrial control systems (ICS) and proprietary devices. In other words, OPC is the communication hub of an OT network, which supports communication between proprietary devices that otherwise could not exchange information, such as programmable logic controllers (PLCs) responsible for the correct operation of field devices.

Due to its popularity as an embedded protocol operating in devices across the ICS domain, the Claroty Research Team decided that OPC was worthy of analysis for security vulnerabilities and implementation issues.

As a result of its investigation, Claroty discovered a number of critical vulnerabilities in three vendor implementations of the OPC protocol. Organisations that use these vendors’ products built on OPC are exposed to attacks that could result in denial-of-service conditions on devices, remote code execution and information leaks of sensitive device data.

The three vendors — Softing Industrial Automation GmbH, Kepware PTC and Matrikon Honeywell — have provided fixes for their respective products. However, users of affected products that have not yet updated to the latest versions are still vulnerable to attack. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has also published advisories, warning users of the affected products about the risks.

Users should immediately upgrade to the latest version of each of these products to close down these vulnerabilities.

However, it is not just these three products that are cause for concern. As the affected products are integrated into many other vendors’ offerings as a third-party component, Claroty believes these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets.

For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues.

Further details on the specific vulnerabilities are below.

Softing Industrial Automation GmbH

• CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
• CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)
• All versions prior to the latest build, 4.47.0, are vulnerable
   

Claroty discovered two vulnerabilities in the Softing OPC DA XML library’s handling of OPC DA XML.

The first is a heap-based buffer overflow vulnerability in the Softing OPC DA XML library that may allow an attacker to crash the Softing server and possibly execute code. ICS-CERT assigned this flaw a CVSS score of 9.8.

The second flaw is a resource consumption bug, which occurs when an invalid value is used within certain parameters. That value will create a loop that runs indefinitely to cause high memory consumption and denial-of-service conditions.

Kepware PTC

• CVE-2020-27265: Stack-based buffer overflow (CWE-121)
• CVE-2020-27263: Heap-based buffer overflow (CWE-122)
• CVE-2020-27267: Use-after-free (CWE-416)
• KEPServerEX v6.0 to v6.9 is vulnerable, as are ThingWorx Kepware Server v6.8 and v6.9 and all versions of ThingWorx Industrial Connectivity and OPC-Aggregator
   

Claroty uncovered OPC UA vulnerabilities in Kepware PTC’s ThingWorx Edge and KEPServerEX servers that lead to denial-of-service conditions, sensitive data leaks and, potentially, code execution. Kepware’s OPC protocol stack is embedded as a third-party component in many products across different industries.

Matrikon Honeywell OPC DA Tunneller

• CVE-2020-27297: Heap overflow due to integer overflow (CWE-122)
• CVE-2020-27299: Information leak due to OOB read (CWE-125)
• CVE-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
• CVE-2020-27295: Uncontrolled resource consumption (CWE-400)
• All versions prior to 6.3.0.8233 of the Matrikon OPC UA Tunneller are vulnerable
   

Claroty found multiple vulnerabilities in different Matrikon OPC Tunneller components, including a critical (9.8 CVSS) heap overflow flaw that could allow for remote code execution on affected machines. Two other denial-of-service vulnerabilities were also discovered, both with CVSS scores of 7.5.

The key takeaways

Users should upgrade to the latest version of each of these products to close down these vulnerabilities. In the meantime, it’s important to continue to research and address vulnerabilities in OT communications protocols, such as OPC.

Attack surfaces are constantly expanding due to the increased connectivity of IT and OT environments, meaning the number of vulnerabilities discovered will only grow. Therefore, organisations must regularly examine their respective implementations for weaknesses, and support security research into undiscovered vulnerabilities and protocol shortcomings.

Image: ©stock.adobe.com/au/Jürgen Fälchle