SYT-2022-3: Multiple vulnerabilities in the OPC UA .NET Standard SDK and the OPC UA .NET SDK

Publisher: Softing Industrial Automation GmbH Document category: csaf_security_advisory
Initial release date: 2022-07-22T10:00:00.000Z Engine: Secvisogram 1.14.0
Current release date: 2022-07-22T10:00:00.000Z Build Date: 2022-09-26T13:21:29.634Z
Current version: 2.0.0 Status: final
CVSSv3.1 Base Score: 7.5 Severity: high
Original language: en-US Language:
Also referred to:

Vulnerabilities

(CVE-2022-29862)

Vulnerability allows a malicious client or server to cause a peer to hang with a carefully crafted message sent during secure channel creation.

CWE: CWE-835:Loop with Unreachable Exit Condition ('Infinite Loop')
Discovery date: 2022-05-01T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Last affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Fixed

Remediations

Workaround

Use a physically secured network where unauthorized clients cannot connect.

For products:

Acknowledgments

(CVE-2022-29863)

Vulnerability that allows a malicious client to cause a server to trigger an out of memory exception with a carefully crafted message.

CWE: CWE-789:Memory Allocation with Excessive Size Value
Discovery date: 2022-05-01T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Last affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Fixed

Remediations

Workaround

Use a physically secured network where unauthorized clients cannot connect.

For products:

Acknowledgments

(CVE-2022-29864)

Vulnerability that allows a malicious client to cause a server to trigger an out of memory exception by sending a large number of message chunks.

CWE: CWE-400:Uncontrolled Resource Consumption
Discovery date: 2022-05-01T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Last affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Fixed

Remediations

Workaround

Use a physically secured network where unauthorized clients cannot connect.

For products:

Acknowledgments

(CVE-2022-29865)

Vulnerability that allows malicious client or server to bypass the application authentication mechanism and allow a connection to an untrusted peer.

CWE: CWE-303:Incorrect Implementation of Authentication Algorithm
Discovery date: 2022-05-01T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5
Last affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5
Fixed

Remediations

Mitigation

Only affects applications running on Windows or MacOS.

For products:
Workaround

Use self-signed Certificates for application authentication. Move CAs from the trust list to the issuers list and explicitly add each trusted peer into the trust list. Require user authentication in addition to application authentication.

For products:

Acknowledgments

(CVE-2022-29866)

Vulnerability that allows a malicious client to trigger a stack overflow exception in a server that exposes an HTTPS endpoint.

CWE: CWE-400:Uncontrolled Resource Consumption
Discovery date: 2022-05-01T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Last affected
Product CVSS-Vector CVSS Base Score
Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Softing OPC UA .NET SDK V1.48 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
OPC UA .NET Standard Stack V1.4.368.53 default component of Softing OPC UA .NET Standard SDK V3.10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5
Fixed

Remediations

Mitigation

Only affects servers with an HTTPS endpoint.

For products:
Workaround

Disable HTTPS endpoints.

For products:

Acknowledgments

Softing Industrial Automation GmbH

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at [email protected]

Revision history

Version Date of the revision Summary of the revision
1.0.0 2022-07-22T10:00:00.000Z Initial version
2.0.0 2022-09-26T10:00:00.000Z OPC UA .NET Fix

Disclaimer

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.