Headline
GHSA-fph9-f5r6-vhqf: Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)
Impact
Denial of Service
Details
OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:
- What is the maximum allowed number of concurrent sessions
- For each active sessions - what is the maximum allowed number of concurrent subscription per a single session
- For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription
Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.
The close session request closes a connected session. A deleteSubscription
flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription
flag is False
the server will store the subscriptions thus filling up the memory in an unlimited manner.
Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.
To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.
Clarity PoC does:
while True:
Open a valid OPC UA session
Create multiple subscriptions
Add monitored items to each subscription
Close the session with the DeleteSubscriptions flag = False
Acknowledgement
We would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 (Claroty Research) for this report.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Eclipse Milo repository
- Email us at milo-dev
Impact
Denial of Service
Details
OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:
- What is the maximum allowed number of concurrent sessions
- For each active sessions - what is the maximum allowed number of concurrent subscription per a single session
- For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription
Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.
The close session request closes a connected session. A deleteSubscription flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription flag is False the server will store the subscriptions thus filling up the memory in an unlimited manner.
Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.
To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.
Clarity PoC does:
while True:
Open a valid OPC UA session
Create multiple subscriptions
Add monitored items to each subscription
Close the session with the DeleteSubscriptions flag = False
Acknowledgement
We would like to thanks Vera Mens, Uri Katz, @SharonBrizinov of Team82 (Claroty Research) for this report.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Eclipse Milo repository
- Email us at milo-dev
References
- GHSA-fph9-f5r6-vhqf
- https://nvd.nist.gov/vuln/detail/CVE-2022-25897
- eclipse/milo#1030
- eclipse/milo#1031
- eclipse/milo@4534381
- https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191
Related news
Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.
A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25897: sdk-server: Denial of Service * CVE-2022-31684: reactor-netty-http: Log request headers in some cases of invalid HTTP requests * CVE-2022-42889: apache-commons-text: variable interpolation RCE
The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.