SCADA Engine BACnet OPC Server Vulnerabilities

Low RiskICS-CERT ICSA-15-069-03Dec 11, 2015

Summary

SCADA Engine BACnet OPC Server (version 2.1.359.22 and earlier) contains authentication and input validation weaknesses in the BACnet protocol handler (CWE-287, CWE-20) and a buffer overflow vulnerability (CWE-122). These flaws allow unauthenticated attackers to read or write BACnet object data through the OPC Server interface without proper validation, potentially enabling unauthorized access to and modification of building automation parameters.

What this means

What could happen

Attackers could read or write BACnet data through the OPC Server without proper authentication, potentially allowing unauthorized changes to HVAC setpoints, sensor readings, or building controls in energy facilities.

Who's at risk

Energy sector operators using SCADA Engine OPC Server for building automation and HVAC control. This affects facilities that rely on the OPC Server to interface with BACnet networks, including power plants, utility control centers, and building management systems.

How it could be exploited

An attacker with network access to the OPC Server could send unauthenticated BACnet protocol requests to read or modify building automation parameters. No valid credentials are required if the server accepts BACnet clients directly.

Prerequisites

Network access to the OPC Server port (typically 502 for BACnet/IP or OPC port)
No authentication credentials typically required

no authentication requiredremotely exploitableno patch availableaffects building automation and control systems

Exploitability

Moderate exploit probability (EPSS 1.9%)

Affected products (1)

ProductAffected VersionsFix Status

OPC Server: <=2.1.359.22≤ 2.1.359.22No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGDeploy firewall rules to allow only authorized clients to communicate with the OPC Server on BACnet/OPC ports

HARDENINGMonitor all BACnet and OPC traffic for unusual read/write patterns or clients connecting from unexpected network locations

WORKAROUNDIf possible, disable BACnet direct access and require all connections through authenticated OPC clients only

Mitigations - no patch available

0/1

OPC Server: <=2.1.359.22 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict access to the OPC Server from only trusted engineering workstations and building automation systems

CVEs (3)

CVE-2015-0979 CVE-2015-0980 CVE-2015-0981

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e11648f7-8ab6-482e-b1da-83541aaebd94