Honeywell OPC UA Tunneller

Act Now9.8ICS-CERT ICSA-21-021-03Jan 21, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Honeywell Matrikon OPC UA Tunneller versions before 6.3.0.8233 contain buffer overflow and input validation vulnerabilities (CWE-122, CWE-125, CWE-754, CWE-400) that allow remote code execution, information disclosure, or denial of service. An attacker can exploit these flaws over the network without credentials to compromise the integrity of industrial communications, execute arbitrary commands, or crash the service.

What this means

What could happen

An attacker with network access to OPC UA Tunneller could execute arbitrary code on the device, disclose sensitive information like process data or credentials, or crash it and disrupt communications between control systems and historians/SCADA applications.

Who's at risk

Organizations running Honeywell Matrikon OPC UA Tunneller in manufacturing plants, water utilities, electric utilities, and any facility using OPC UA to bridge legacy control systems with modern historians or SCADA platforms should treat this as critical. Any facility where OPC UA Tunneller connects PLCs, RTUs, or historians to enterprise systems is affected.

How it could be exploited

An attacker sends a specially crafted network request to the OPC UA Tunneller service (typically port 4840 or configured OPC UA port). The vulnerable code fails to properly validate input or manage memory, allowing code execution or information disclosure without requiring authentication or user interaction.

Prerequisites

Network reachability to OPC UA Tunneller service port
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)no patch availableaffects industrial communications

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

OPC UA Tunneller: All< 6.3.0.82336.3.0.8233

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to OPC UA Tunneller to only authorized engineering workstations and SCADA/historian servers; block access from the business network and Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Honeywell Matrikon OPC UA Tunneller to version 6.3.0.8233 or later

Long-term hardening

0/2

HARDENINGPlace OPC UA Tunneller behind a firewall and isolate the control system network from the business network and Internet

HARDENINGImplement secure remote access (VPN) if remote engineering access is required, and keep VPN software updated

CVEs (4)

CVE-2020-27297 CVE-2020-27299 CVE-2020-27274 CVE-2020-27295

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dba08d96-71f7-4d72-9694-fb645e652540