OTPulse
FeedAboutContact

Opto 22 PAC Control Basic and PAC Control Professional

Plan Patch8.4ICS-CERT ICSA-18-247-01Sep 4, 2018
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow condition exists in Opto 22 PAC Control Basic and Professional versions R10.0a and earlier. Successful exploitation could crash the application or allow arbitrary code execution on the engineering workstation running PAC Control, enabling an attacker to modify PLC logic and alter process parameters. The vulnerability requires local access or the ability to inject malicious input to the application.

What this means
What could happen
A buffer overflow in Opto 22 PAC Control software could allow an attacker to run arbitrary code on the engineering workstation, potentially gaining control over PLC configuration, logic, and process setpoints.
Who's at risk
Organizations operating Opto 22 PAC Control systems for automation and process control should care—specifically engineering staff who use PAC Control Basic or Professional to configure and modify PLC logic. This includes water treatment facilities, power distribution systems, manufacturing plants, and any facility using Opto 22 controllers for critical operations.
How it could be exploited
An attacker with local access or the ability to run malicious code on the engineering workstation hosting PAC Control could trigger a buffer overflow condition that leads to remote code execution on the PAC Control application itself. This would give the attacker the ability to modify PLC logic and parameters.
Prerequisites
  • Local access to the engineering workstation running PAC Control
  • Ability to interact with PAC Control application or inject malicious input
  • Vulnerable version R10.0a or earlier
Buffer overflow vulnerabilityNo patch available for affected versionsLocal access required but workstation compromise is plausibleAffects engineering/control workstations
Exploitability
Moderate exploit probability (EPSS 4.6%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
PAC Control Professional:≤ R10.0aNo fix (EOL)
PAC Control Basic Versions: R10.0a and prior≤ R10.0aNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict physical and network access to engineering workstations to authorized personnel only
WORKAROUNDIf remote access to the engineering workstation is required, use a VPN with current security updates
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PAC Control Basic and Professional to a version newer than R10.0a
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: PAC Control Professional:, PAC Control Basic Versions: R10.0a and prior. Apply the following compensating controls:
HARDENINGIsolate engineering workstations running PAC Control from the business network and Internet using a firewall or network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fa0918b4-ed23-4ed1-b143-8c159c0ed0aa
Opto 22 PAC Control Basic and PAC Control Professional | CVSS 8.4 - OTPulse