Headline
CVE-2023-26151: DoS asyncua Server
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.
Disclaimer: It is important to note that a previous vulnerability related to DoS attacks on asyncua servers exists.
However, the vulnerability described here is entirely different in nature. The previous vulnerability relied on
resource exhaustion by sending an unlimited number of large chunks.
This crafted message is sufficient to cause the server to enter an infinite loop,
gradually consuming more and more resources. Notably,
in comparison to CVE-2022-25304, the vulnerability discussed in this gist requires less effort to exploi
#How was the vulnerability discovered ?
During my experiments for my Ph.D., I identified this vulnerability and promptly alerted the maintainers
by creating an issue on Git, as their request.
#Reproduce:
To reproduce this vulnerability:
0/send a message with a size field set to 0.
I used an open secure channel request but others are working.
All of this is described in the issue:
The first comment made a mistake by thinking that this vulnerability is CVE-2022-25304. But if you read the complete issue
you will see that it is not.
https://github.com/FreeOpcUa/opcua-asyncio/issues/1013
Related news
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.