OTPulse
FeedAboutContact

Beckhoff: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server

Monitor5.3VDE-2020-051Apr 27, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

TwinCAT OPC UA Server and IPC Diagnostics UA Server from Beckhoff Automation are vulnerable to denial of service attacks via specially crafted OPC UA requests. Affected versions: TwinCAT OPC UA Server up to 2.3.0.12, IPC Diagnostics UA Server up to 3.1.0.1. When attacked, the OPC UA server becomes unresponsive to all clients, blocking remote diagnostics and monitoring. Real-time PLC control operations are not affected. IPC Diagnostics UA Server is pre-installed on Beckhoff IPCs; on Windows CE it is disabled by default, but on other Windows images it is enabled by default. TwinCAT OPC UA Server is pre-installed on some Beckhoff hardware and may be enabled by default.

What this means
What could happen
An attacker can send specially crafted OPC UA requests to crash the diagnostics or OPC UA server, making it unresponsive and preventing remote monitoring and diagnostics. Real-time PLC operations continue unaffected, but remote visibility into system health is lost.
Who's at risk
Beckhoff IPC (industrial PC) and embedded control devices using TwinCAT OPC UA Server or IPC Diagnostics UA Server. This affects industrial automation engineers and plant operators who rely on remote diagnostics and OPC UA-based SCADA monitoring for water treatment, pumping stations, electrical substations, and similar infrastructure.
How it could be exploited
An attacker with network access to the OPC UA server port (typically TCP 4840 or 4841) sends a sequence of specially crafted requests. After several requests, the server becomes unresponsive to all clients, effectively a denial of service. No authentication is required.
Prerequisites
  • Network access to the OPC UA server TCP port (commonly port 4840 or 4841)
  • OPC UA server (TwinCAT OPC UA Server or IPC Diagnostics UA Server) must be enabled and running
Remotely exploitableNo authentication requiredLow complexity attackNo fix available for some versionsAffects monitoring and diagnostics visibility
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
IPC Diagnostics UA Server <=3.1.0.1≤ 3.1.0.1No fix (EOL)
TwinCAT OPC UA Server <=2.3.0.12≤ 2.3.0.12No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable the IPC Diagnostics UA Server service using: Stop-Service -Force -Name DevMgrSvr-UA and Set-Service -Name DevMgrSvr-UA -StartupType Disabled
HARDENINGRestrict network access to the OPC UA server TCP port using firewall rules to allow only trusted engineering and monitoring stations
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT OPC UA Server and IPC Diagnostics UA Server to the latest available version through Beckhoff support or Windows update channels
HOTFIXFor CX8091 devices running Windows CE, update to firmware version CX8091_CE600_LF_v356f_TC211R3_B2306_v2 or later
View full CERT@VDE advisory
API: /api/v1/advisories/8b102bf3-db8c-4878-8726-d4baa1ea10ef
Beckhoff: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server | CVSS 5.3 - OTPulse