OTPulse
FeedAboutContact

Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products

Plan Patch7.5SSA-321292May 10, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in the OPC Foundation Local Discovery Server (LDS) component of Siemens industrial software can cause denial of service on the service or host device. The LDS is used by multiple applications to discover and register OPC servers on the network. An attacker with network access to the LDS port can send a specially crafted message that causes a buffer overflow, crashing the service and preventing discovery of OPC endpoints. This affects SIMATIC NET PC Software versions 14–17, SIMATIC WinCC versions below 8.0 and Runtime Professional below 18, SIMATIC Process Historian, OpenPCS 7, and TeleControl Server Basic. Siemens has released patches for most products; OpenPCS 7 V9.1 and SIMATIC NET PC Software V15 have no fix available.

What this means
What could happen
A denial of service in the OPC Local Discovery Server could crash the discovery service or the device it runs on, preventing other applications or clients from finding and communicating with OPC servers on the network. This can disrupt HMI systems, historian connections, and device-to-device discovery in process plants.
Who's at risk
Manufacturing facilities using Siemens SIMATIC NET PC Software, WinCC HMI systems, SIMATIC Process Historian, OpenPCS 7, or TeleControl Server Basic for plant monitoring, data collection, and device discovery. This affects any organization relying on OPC servers for process automation, historian data collection, or remote supervisory access.
How it could be exploited
An attacker with network access to the OPC Local Discovery Server (typically port 4840 or 4841) can send a specially crafted message that causes a buffer overflow or memory access violation, crashing the LDS service or the host device. The attacker does not need credentials or prior authentication.
Prerequisites
  • Network access to the OPC Local Discovery Server port (typically 4840 or 4841)
  • No authentication required
  • Affected Siemens software running the OPC LDS component
Remotely exploitable over the networkNo authentication requiredLow complexity attackNetwork service availability impactAffects OPC server discovery infrastructure
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (10)
8 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC NET PC Software V14All versions < V14 SP1 Update 1414 SP1 Update 14
OpenPCS 7 V9.1All versionsNo fix (EOL)
SIMATIC NET PC Software V15All versionsNo fix (EOL)
SIMATIC NET PC Software V16All versions < V16 Update 616 Update 6
SIMATIC NET PC Software V17All versions < V17 SP117 SP1
SIMATIC Process Historian OPC UA ServerAll versions < V2020 SP12020 SP1
SIMATIC WinCC< V8.08.0
SIMATIC WinCC Runtime Professional< V1818
Remediation & Mitigation
0/9
Do now
0/1
WORKAROUNDRestrict network access to OPC LDS ports (4840, 4841) using firewall rules to only authorized engineering workstations and operator terminals
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software V14 to SP1 Update 14 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 6 or later
SIMATIC NET PC Software V17
HOTFIXUpdate SIMATIC NET PC Software V17 to SP1 or later
SIMATIC Process Historian OPC UA Server
HOTFIXUpdate SIMATIC Process Historian OPC UA Server to 2020 SP1 or later
SIMATIC WinCC
HOTFIXUpdate SIMATIC WinCC to version 8.0 or later
HOTFIXUpdate SIMATIC WinCC Runtime Professional to version 18 or later
HOTFIXUpdate SIMATIC WinCC Unified PC Runtime to version 18 Update 1 or later
All products
HOTFIXUpdate TeleControl Server Basic to version 3.1.1 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/01893842-7b0f-49b1-a70d-9d3fa0259df7