SYT-2022-3: Multiple vulnerabilities in the OPC UA .NET Standard SDK and the OPC UA .NET SDK
Publisher: Softing Industrial Automation GmbH |
Document category: csaf_security_advisory |
Initial release date: 2022-07-22T10:00:00.000Z |
Engine: Secvisogram 1.14.0 |
Current release date: 2022-07-22T10:00:00.000Z |
Build Date: 2022-09-26T13:21:29.634Z |
Current version: 2.0.0 |
Status: final |
CVSSv3.1 Base Score: 7.5 |
Severity:
high
|
Original language: en-US |
Language: |
Also referred to: |
Vulnerabilities
(CVE-2022-29862)
Vulnerability allows a malicious client or server to cause a peer to hang with a carefully crafted message sent during secure channel
creation.
CWE: |
CWE-835:Loop with Unreachable Exit Condition ('Infinite Loop') |
Discovery date: |
2022-05-01T10:00:00.000Z |
Product status
Known affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Last affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Fixed
- Softing OPC UA .NET Standard SDK V3.20
- Softing OPC UA .NET SDK V1.49
- OPC UA .NET Standard Stack V1.4.369.30 default component of Softing OPC UA .NET Standard SDK V3.20
- OPC UA .NET Standard Stack V1.4.368.58
Remediations
Workaround
Use a physically secured network where unauthorized clients cannot connect.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Acknowledgments
- Florian Kohnhäuser from ABB
(CVE-2022-29863)
Vulnerability that allows a malicious client to cause a server to trigger an out of memory exception with a carefully crafted message.
CWE: |
CWE-789:Memory Allocation with Excessive Size Value |
Discovery date: |
2022-05-01T10:00:00.000Z |
Product status
Known affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Last affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Fixed
- Softing OPC UA .NET Standard SDK V3.20
- Softing OPC UA .NET SDK V1.49
- OPC UA .NET Standard Stack V1.4.369.30 default component of Softing OPC UA .NET Standard SDK V3.20
- OPC UA .NET Standard Stack V1.4.368.58
Remediations
Workaround
Use a physically secured network where unauthorized clients cannot connect.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Acknowledgments
- Uriya Yavnieli from JFrog Security Research Team working with Trend Micro Zero Day Initiative
(CVE-2022-29864)
Vulnerability that allows a malicious client to cause a server to trigger an out of memory exception by sending a large number of message chunks.
CWE: |
CWE-400:Uncontrolled Resource Consumption |
Discovery date: |
2022-05-01T10:00:00.000Z |
Product status
Known affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Last affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Fixed
- Softing OPC UA .NET Standard SDK V3.20
- Softing OPC UA .NET SDK V1.49
- OPC UA .NET Standard Stack V1.4.369.30 default component of Softing OPC UA .NET Standard SDK V3.20
- OPC UA .NET Standard Stack V1.4.368.58
Remediations
Workaround
Use a physically secured network where unauthorized clients cannot connect.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Acknowledgments
- Vera Mens, Uri Katz, Sharon Brizinov from Claroty Research Team working with Trend Micro Zero Day Initiative
(CVE-2022-29865)
Vulnerability that allows malicious client or server to bypass the application authentication mechanism and allow a connection to an untrusted peer.
CWE: |
CWE-303:Incorrect Implementation of Authentication Algorithm |
Discovery date: |
2022-05-01T10:00:00.000Z |
Product status
Known affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
6.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
6.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
6.5 |
Last affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
6.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
6.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
6.5 |
Fixed
- Softing OPC UA .NET Standard SDK V3.20
- Softing OPC UA .NET SDK V1.49
- OPC UA .NET Standard Stack V1.4.369.30 default component of Softing OPC UA .NET Standard SDK V3.20
- OPC UA .NET Standard Stack V1.4.368.58
Remediations
Mitigation
Only affects applications running on Windows or MacOS.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Workaround
Use self-signed Certificates for application authentication.
Move CAs from the trust list to the issuers list and explicitly add each trusted peer into the trust list.
Require user authentication in addition to application authentication.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Acknowledgments
- Daan Keuper, Thijs Alkemade from Computest working with Trend Micro Zero Day Initiative
(CVE-2022-29866)
Vulnerability that allows a malicious client to trigger a stack overflow exception in a server that exposes an HTTPS endpoint.
CWE: |
CWE-400:Uncontrolled Resource Consumption |
Discovery date: |
2022-05-01T10:00:00.000Z |
Product status
Known affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Last affected
Product |
CVSS-Vector |
CVSS Base Score |
Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Softing OPC UA .NET SDK V1.48 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
7.5 |
Fixed
- Softing OPC UA .NET Standard SDK V3.20
- Softing OPC UA .NET SDK V1.49
- OPC UA .NET Standard Stack V1.4.369.30 default component of Softing OPC UA .NET Standard SDK V3.20
- OPC UA .NET Standard Stack V1.4.368.58
Remediations
Mitigation
Only affects servers with an HTTPS endpoint.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Workaround
Disable HTTPS endpoints.
For products:
- Softing OPC UA .NET Standard SDK V3.10
- Softing OPC UA .NET SDK V1.48
- OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10
Acknowledgments
- Uriya Yavnieli from JFrog Security Research Team working with Trend Micro Zero Day Initiative
Softing Industrial Automation GmbH
Namespace: https://industrial.softing.com
Softing PSIRT - contact us at [email protected]
Revision history
Version |
Date of the revision |
Summary of the revision |
1.0.0 |
2022-07-22T10:00:00.000Z |
Initial version |
2.0.0 |
2022-09-26T10:00:00.000Z |
OPC UA .NET Fix |
Disclaimer
The information provided in this disclosure is provided "as is" without warranty of any kind.
Softing disclaims all warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Softing or its suppliers have been advised of the
possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.