Unified Automation OPC SDK OpenSSL Vulnerability

Act NowICS-CERT ICSA-14-135-04Feb 15, 2014

Summary

Unified Automation OPC UA SDK versions 1.4.0 for Windows (both C++ and ANSI C variants) contain an OpenSSL vulnerability (CWE-119: buffer over-read). The vulnerability is in the embedded OpenSSL library used by the SDK. This affects any application built with or linking against these SDK versions.

What this means

What could happen

An attacker could exploit this vulnerability to read sensitive data from memory or cause a denial of service in OPC UA client or server applications. If your SCADA, HMI, or engineering workstations use this SDK, they may be compromised.

Who's at risk

This affects operators and engineers at utilities and manufacturing facilities who use OPC UA applications built with the vulnerable Unified Automation SDK v1.4.0_Windows. This includes SCADA systems, HMI software, OPC UA clients, data historians, and engineering workstations used for device configuration. Any custom application or third-party software that links against this specific SDK version is vulnerable.

How it could be exploited

An attacker with network access to an OPC UA application built with the vulnerable SDK can send a specially crafted message over the network that triggers a buffer over-read in the OpenSSL library. This allows the attacker to read arbitrary memory contents or crash the application.

Prerequisites

Network access to the OPC UA server or client port (typically 4840 for OPC UA)
OPC UA application must be running and built with the vulnerable Unified Automation SDK v1.4.0_Windows

actively exploited (KEV)remotely exploitableno patch availablehigh EPSS score (94.5%)affects process control systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

C++ based OPC UA SDK: V1.4.0_WindowsV1.4.0 WindowsNo fix (EOL)

ANSI C based OPC UA SDK: V1.4.0_WindowsV1.4.0 WindowsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIdentify all systems using Unified Automation OPC UA SDK v1.4.0_Windows (C++ or ANSI C) - check engineering workstations, HMI systems, and SCADA gateways for applications linked to this SDK

WORKAROUNDRestrict network access to OPC UA ports (typically 4840) at the firewall - only allow connections from trusted engineering networks and never expose OPC UA ports directly to the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDo not use Unified Automation OPC UA SDK v1.4.0_Windows for new development or deployments; migrate to a newer SDK version from Unified Automation or an alternative OPC UA library

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: C++ based OPC UA SDK: V1.4.0_Windows, ANSI C based OPC UA SDK: V1.4.0_Windows. Apply the following compensating controls:

HARDENINGMonitor network traffic to OPC UA applications for suspicious connection attempts or malformed messages

CVEs (1)

CVE-2014-0160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3216c779-7937-43a5-876d-5862b2a7d21b