Headline
CVE-2022-2561: CVE-2022-2561 Connectivity Explorer file vulnerability (ZDI-CAN-16596)
This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC 2022.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XML files in Connectivity Explorer. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16596.
Summary
The Connectivity Explorer (part of QuickOPC) allows the user to save and load XML files with list of "Live Points". When opening the file, the Connectivity Explorer does not treat it as untrusted data. This allows the attacker to craft a special file which will then execute commands on the user’s computer.
More Information
The vulnerability is not related to OPC communication.
The vulnerability does not affect user software created with QuickOPC, because it is only present in the Connectivity Explorer application, which is not redistributable.
The Connectivity Explorer does not associate a file extension with its files. Consequently, clicking/double-clicking on a malicious file does not trigger the vulnerability. The vulnerability can only be exploited by explicitly opening the file from the Connectivity Explorer application by the user.
Affected Versions
Affected are all Connectivity Explorer versions lower than 5.63.246 (QuickOPC 2022.1 build 246).
Resolution
The Connectivity Explorer now restricts the types that are allowed to load.
Acknowledgements
Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative.
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.