Open Automation Software OPC Systems NET DLL Hijacking Vulnerability
Monitor7.2ICS-CERT ICSA-15-344-02Sep 12, 2015
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary
OPC Systems.NET versions 8.00.0023 and earlier contain a DLL hijacking vulnerability (CWE-427). An attacker with local access to the engineering workstation and appropriate file system permissions could replace legitimate DLL files loaded by the OPC application with malicious versions, allowing arbitrary code execution in the context of the OPC process. This could disrupt communications with field devices or alter process data being passed through the OPC interface.
What this means
What could happen
An attacker with local access and engineering credentials could hijack DLL files used by OPC Systems.NET to execute malicious code with the same privileges as the OPC application, potentially disrupting communication with industrial control devices or altering process data.
Who's at risk
Any organization using OPC Systems.NET for supervisory control or data acquisition (SCADA) applications, especially utilities (electric, water, gas) and manufacturing facilities that rely on OPC for real-time communication with programmable logic controllers (PLCs), remote terminal units (RTUs), or other field devices.
How it could be exploited
An attacker with local administrative or engineering workstation access could replace legitimate DLL files that OPC Systems.NET loads at runtime with malicious versions. When the OPC application starts or during operation, it loads the compromised DLL and executes the attacker's code in the context of the OPC process.
Prerequisites
- Local access to the engineering workstation or server running OPC Systems.NET
- Ability to write to filesystem directories where OPC application loads DLLs (typically application installation or system directories)
- Engineering workstation or administrative credentials
- User interaction: OPC application must be restarted or must load the hijacked DLL during normal operation
no patch availablelocal attack vector onlyhigh privilege requirement (administrative or engineering credentials)requires user interaction or specific conditionsaffects supervisory software that controls industrial processes
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
OPC Systems.NET: <=8.00.0023≤ 8.00.0023No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRestrict file system write permissions on OPC Systems.NET installation directories and system library folders to authorized users only (e.g., only system administrators and OPC service accounts)
HARDENINGRestrict local access to engineering workstations through physical security controls and account access policies
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor file integrity of OPC application directories using host-based integrity checking tools
Long-term hardening
0/1WORKAROUNDEvaluate upgrading to a maintained OPC solution or alternative if OPC Systems.NET will not receive security updates
Mitigations - no patch available
0/1OPC Systems.NET: <=8.00.0023 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement application whitelisting or code signing verification on engineering workstations to ensure only legitimate DLLs are loaded
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/aaa4f7ed-08ca-4fea-9819-4f7e7b67bd11