OTPulse
FeedAboutContact

Unitronics UNIOPC Server Input Handling Vulnerability

Low RiskICS-CERT ICSA-11-279-03AJul 9, 2011
Summary

Unitronics UniOPC Server versions prior to 2.0.0 contain an input handling vulnerability (CWE-20) that could allow an unauthenticated remote attacker to cause a denial of service or trigger unintended code execution by sending malformed input to the server. The vulnerability stems from improper validation of incoming data packets.

What this means
What could happen
An attacker could send malformed input to the UniOPC Server to cause a denial of service or potentially execute code, disrupting OPC connectivity that other systems depend on for real-time process data and control.
Who's at risk
Water utilities, electric utilities, and other process manufacturers using Unitronics UniOPC Server (versions before 2.0.0) for real-time data exchange with SCADA systems, historian systems, or other supervisory control software should assess their exposure. This affects any facility relying on OPC connectivity from a UniOPC gateway.
How it could be exploited
An attacker with network access to the UniOPC Server port could send specially crafted input data that exploits improper input handling. The server would process this malformed data unsafely, potentially crashing the service or allowing code execution.
Prerequisites
  • Network access to UniOPC Server listening port
  • No authentication required
remotely exploitableno authentication requiredinput validation flawno patch availableend-of-life product
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (1)
ProductAffected VersionsFix Status
Unitronics UniOPC: <2.0.0.<2.0.0.No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network-layer access controls to restrict connections to the UniOPC Server to only authorized engineering workstations and control systems that require OPC connectivity
HARDENINGDeploy a firewall rule limiting network access to UniOPC Server by source IP address, VLAN, or network segment
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor UniOPC Server logs and process health for unexpected crashes or anomalous behavior
Mitigations - no patch available
0/1
Unitronics UniOPC: <2.0.0. has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEvaluate migration to a newer version of Unitronics software or replacement with a supported OPC server implementation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8d028de2-1e6f-4519-896f-57afd098a945