Headline
CVE-2022-29862: Security - OPC Foundation
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
Security Podcast
OPC Cybersecurity: Larry O’Brien from ARC talks to with Randy Armstrong of the OPC Foundation
Security Bulletins
The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.
All the bulletins that have been published are available here.
Any vulnerabilities or security concerns should be reported to ‘securityteam AT opcfoundation DOT org’.
A PGP key to encrypt any sensitive security report can be found here.
Security Deep Dive Webinar
- See recording here
- Download slides here
Java log4j2 vulnerability
A new a critical vulnerability to the open source log4j2 Java service was announced. This vulnerability (CVE-2021-44228) has been rated with a CVSS score of 10.0.
Information for OPC users can be found here:
- Classic OPC (including OPC Core Components).
- OPC UA (including open source code managed by the OPC Foundation).
Security Analysis by Kaspersky Labs
On May 10th, 2017 Kaspersky Labs released a report identifying 17 zero day vulnerabilities in OPC Foundation code.
- The OPC Foundation’s formal response can be found here.
- The complete list of vulnerabilities along with references to appropriate CVEs can be found here.
- The process that the OPC Foundation follows when these kinds of concerns are raised can be found here.
Practical Security Recommendations for Building OPC UA applications
!! Updated v3 available !!
OPC Foundation members and partners have published the whitepaper “Practical Security Recommendations”.
Download here
January, 2017: First Security Analysis by German Office for Information Security (BSI)
The BSI reviewed the OPC UA security mechanisms and created an evaluation report. Two analyses were performed for this purpose: In the first part of the project, the specification of the OPC UA was analyzed Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:
- Analysis of already carried out investigations of IT security by OPC UA
- Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
- Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12
The Security working group of the OPC Foundation assessed the findings in the BSI report and initiated necessary measures. Although no major flaws had been detected, these measures will help improve the document and the implementations.
The OPC Foundation responses have been inserted into the original BSI report. Each response is labelled with [OPC-F].
All issues that need further work have been recorded in Mantis (the OPC Foundation problem reporting tool). Mantis issue references are marked with (Mantis #XXXX), where XXX is the reference number within mantis.
All issues are planned to be solved with the next OPC UA specification (most likely version 1.04) respectively in the OPC Foundation’s ANSI-C stack for OPC UA, version 1.03.340.
Download the BSI report with the OPC Foundation responses:
- English
- German
February, 2022: Second Security Analysis by German Office for Information Security (BSI)
BSI: Subject of the analysis – Chapter 2
OPC UA was one of the first protocols to be set as an Industrie 4.0 standard by Plattform Industrie 4.0. Compared to other industrial communication protocols, OPC UA in the variant of the client-server communication paradigm offers integrated security mechanisms for authenticated, integrity-protected and, if necessary, encrypted communication, as well as mechanisms to authorize applications or users for access to the corresponding information models. The specified security mechanisms are basically suitable for ensuring secure communication according to the state of the art. This was already examined and confirmed in 2016 in a study conducted on behalf of the BSI for OPC UA Version 1.02. In addition to the analysis of the standard and a threat analysis, the ANSI C implementation of the OPC Foundation was also examined using static and dynamic code analysis including fuzzing.
Since this study from 2016, there have been major changes in both the OPC UA specification and the implementations provided by the OPC Foundation. OPC UA is now specified in version 1.04 and the most comprehensive change is certainly the newly added communication paradigm PubSub. Other parts of the standard, which cover certificate management for example, have also undergone major changes. The ANSI C implementation (the implementation examined in the 2016 study) is now only available as a legacy version. In addition, more and more products are appearing with (certified) OPC UA support, although it is not always apparent which security functions have been implemented in each case via the security policies and user identity tokens. This includes, for example, the support of a Global Discovery Server (GDS).
Based on this initial situation, it makes sense to update the 2016 study and add new aspects to the investigation. The aim of this study is therefore to provide an update of the 2016 study based on version 1.04 of the OPC UA standard.
For the update of the study, all security-relevant changes to the OPC UA specification from version 1.02 to 1.04 were therefore collected and the new version of the specification was examined for vulnerabilities and improvements analogous to the study from 2016. In agreement with the German Federal Office for Safety, PubSub (Part 14) as a new communication paradigm was not considered as part of the update, since the major differences between the two communication paradigms, client/server and PubSub, would not ensure comparability of the results. In addition, no complete (or certified) implementations were available at the time the study was updated. PubSub and the infrastructure required for it should therefore be examined at a later date as part of a separate analysis.
In the context of updating the study, an open (open source) implementation of the OPC UA protocol should be investigated using static and dynamic code analysis methods. It has been chosen open62541 [Open source implementation by Fraunhofer. Note by OPCF: This is not a solution or an offering by the OPC Foundation] as open implementation for investigation in the updated study. On the one hand, it is investigated whether parts of the vulnerabilities identified in 2016 can also be found in the new implementation, if applicable, but also what other anomalies occur during the tests. Any vulnerabilities found will be implemented as far as possible in proof-of-concept exploits and attacks on the implementation or standard will be demonstrated.
In addition, a market survey will be conducted to determine which security mechanisms have been implemented in the individual products and what difficulties the manufacturers encountered in doing so. The results are to be recorded in recommendations for action for secure implementation by manufacturers and integrators.
Download the BSI report:
- English under preparation
- German
Related news
The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.
By Waqas The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB). This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
What are container image vulnerabilities?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.
A vulnerability was discovered in OPC UA .NET Standard Stack that allows a malicious client or server to cause a peer to hang with a carefully crafted message sent during secure channel creation.
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Couchbase Server before 7.1.0 has Incorrect Access Control.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
Calibre-Web before 0.6.18 allows user table SQL Injection.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.