Prosys OPC UA Simulation Server (Update A)

Monitor6.5ICS-CERT ICSA-22-349-01Dec 15, 2022

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

Prosys OPC UA Simulation Server (versions before 5.3.0-64) and UA Modbus Server (version 1.4.18-5 and prior) store credentials in an insecure manner, allowing attackers with local access to the workstation to read and obtain system credentials. This vulnerability affects OPC UA systems used in industrial environments for data exchange and integration. The vulnerability has a CVSS score of 6.5 and is classified as CWE-522 (Insufficiently Protected Credentials).

What this means

What could happen

An attacker with local access to a workstation running OPC UA Simulation Server or UA Modbus Server could extract stored credentials and gain unauthorized access to the OPC UA system, potentially allowing modification of industrial data or process parameters.

Who's at risk

This affects organizations running Prosys OPC UA Simulation Server or UA Modbus Server on engineering workstations or test systems. OPC UA is widely used in manufacturing, utilities (water and electric), and process facilities for real-time data exchange between PLCs, SCADA systems, and human-machine interfaces. Organizations using these products for development, simulation, or integration testing are at risk.

How it could be exploited

An attacker with local access to a machine running the affected server software can read unencrypted or weakly protected credential data from the application's storage. No network attack is required; this is a local privilege escalation or credential extraction vulnerability. The attacker must be able to interact with the workstation (requires admin or user-level access) and physically access or gain authenticated access to the machine.

Prerequisites

Local access to the workstation running UA Simulation Server or UA Modbus Server
High privileges (administrative or user account with access to application storage)
User interaction required (user must be logged in or application running

No patch available (end-of-life products)Requires local access to workstationAffects credentials and system data confidentialityDefault or weak credential storage mechanisms

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

UA Simulation Server< 5.3.0-64No fix (EOL)

UA Modbus Server 1.4.18-5 and prior≤ 1.4.18-5No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf remote access to OPC UA servers is required, use VPN with the latest security patches and strong authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

UA Simulation Server

HARDENINGRestrict physical and logical access to workstations running UA Simulation Server or UA Modbus Server to authorized engineering personnel only

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: UA Simulation Server, UA Modbus Server 1.4.18-5 and prior. Apply the following compensating controls:

HARDENINGIsolate OPC UA servers from direct Internet access and restrict network access to trusted engineering workstations and automation systems only

HARDENINGDeploy network segmentation: place OPC UA servers behind a firewall and separate from the business/office network

CVEs (1)

CVE-2022-2967

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1bc5cbc0-25b7-412b-b45f-cb9ae5b382de