Schneider Electric OPC Factory Server Buffer Overflow

Low RiskICS-CERT ICSA-14-093-01Jan 4, 2014

Summary

Schneider Electric OPC Factory Server contains a buffer overflow vulnerability (CWE-122) in the OPC protocol handler. When a network client sends a malformed or oversized OPC request to the server, a buffer in memory can overflow, potentially crashing the OPC service or allowing arbitrary code execution. All versions of TLXCDS*OFS33 models (through V3.5) are affected. No vendor patch or firmware update is available.

What this means

What could happen

A buffer overflow in OPC Factory Server could allow an attacker to crash the service or execute arbitrary code on the system running it, potentially disrupting communication between engineering workstations and industrial devices in your network.

Who's at risk

Operators at energy utilities and industrial facilities using Schneider Electric OPC Factory Server for device communication and remote monitoring should evaluate their exposure. Affected products are legacy OPC servers (TLXCDS*OFS33 models) used to bridge engineering workstations to PLCs, RTUs, and other control devices via standard OPC protocol.

How it could be exploited

An attacker with network access to the OPC Factory Server port (typically 135/RPC or port 445) can send a specially crafted network packet containing oversized data that overflows a buffer in the server process. This could cause the service to crash or, in more sophisticated attacks, execute arbitrary commands with the privileges of the OPC server process.

Prerequisites

Network access to the OPC Factory Server (typically RPC ports 135, 139, 445 or OPC-specific ports)
No authentication required to trigger the buffer overflow

remotely exploitableno authentication requiredno patch availablelow complexity

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

TLXCDSTOFS33: <=V3.5≤ V3.5No fix (EOL)

TLXCDLUOFS33: <=V3.5≤ V3.5No fix (EOL)

TLXCDLTOFS33: <=V3.5≤ V3.5No fix (EOL)

TLXCDLFOFS33: <=V3.5≤ V3.5No fix (EOL)

TLXCDSUOFS33: <=V3.5≤ V3.5No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGIsolate OPC Factory Server from untrusted network segments using firewall rules; restrict access to only authorized engineering workstations and control system devices that require OPC connectivity

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to the OPC Factory Server for unusual connection patterns or oversized RPC/OPC requests

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: TLXCDSTOFS33: <=V3.5, TLXCDLUOFS33: <=V3.5, TLXCDLTOFS33: <=V3.5, TLXCDLFOFS33: <=V3.5, TLXCDSUOFS33: <=V3.5. Apply the following compensating controls:

HARDENINGImplement network segmentation so that OPC servers operate on a dedicated control network separate from corporate IT networks and the internet

HARDENINGEvaluate replacing affected TLXCDS*OFS33 devices with newer Schneider Electric OPC solutions that have active vendor support and security updates

CVEs (1)

CVE-2014-0789

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/417a7927-138e-4c66-b34e-abf6b9fe6c89