OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5

Monitor7.2ICS-CERT ICSA-21-133-04May 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An information disclosure vulnerability exists in OPC UA applications built with the .NET Framework 3.5, 4.0, and 4.5. The flaw is rooted in Microsoft's .NET Framework implementation (CVE-2015-6096) and affects Unified Automation's OPC UA SDK Bundle versions 3.0.7 and earlier when compiled against these Framework versions. An unauthenticated attacker on the network can exploit this to read arbitrary files from the host system where the OPC UA application runs. Unified Automation has released a patched version (login required to access), and the OPC Foundation recommends upgrading to products built with .NET Framework 4.5.2 or later, or contacting the product supplier to determine if an update is available.

What this means

What could happen

An attacker could read sensitive files from the server hosting an affected OPC UA application, potentially exposing configuration data, credentials, or process information critical to your industrial operations.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Unified Automation's OPC UA Client/Server SDK Bundle (version 3.0.7 or earlier built with .NET 3.5, 4.0, or 4.5) for supervisory control systems, historian servers, or engineering workstations communicating with PLCs and RTUs.

How it could be exploited

An attacker on the network can send specially crafted requests to an OPC UA server or client built with vulnerable .NET Framework versions (3.5, 4.0, 4.5) to read arbitrary files from the host system without needing to authenticate.

Prerequisites

Network access to the OPC UA server port (typically 4840 or configured port)
OPC UA application built with .NET Framework 3.5, 4.0, or 4.5
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackInformation disclosure (file access)Affects third-party libraries in control system softwareNo patch available for affected .NET Framework versions

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Unified Automation .NET based OPC UA Client/Server SDK Bundle:≤ 3.0.7 (.NET 4.5 4.0 and 3.5 Framework versions only)No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to OPC UA servers using firewall rules to allow only authorized engineering workstations and systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Unified Automation to obtain the patched version of their OPC UA SDK (login required to access download)

HOTFIXIf available, upgrade to a product version using .NET Framework 4.5.2 or later, which is not vulnerable to this issue

Mitigations - no patch available

0/2

Unified Automation .NET based OPC UA Client/Server SDK Bundle: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate control system networks containing OPC UA products from internet-accessible networks and business networks

HARDENINGDecommission and replace any OPC UA products using end-of-life .NET Framework versions if vendor patches cannot be obtained

CVEs (1)

CVE-2021-27434

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/64e28053-16f0-452b-84c2-cf4c499344fa