Beckhoff: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server

MonitorCVSS 5.3VDE-2020-051Apr 27, 2021

Beckhoff

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

TwinCAT OPC UA Server and IPC Diagnostics UA Server from Beckhoff Automation are vulnerable to denial of service attacks via specially crafted OPC UA requests. Affected versions: TwinCAT OPC UA Server up to 2.3.0.12, IPC Diagnostics UA Server up to 3.1.0.1. When attacked, the OPC UA server becomes unresponsive to all clients, blocking remote diagnostics and monitoring. Real-time PLC control operations are not affected. IPC Diagnostics UA Server is pre-installed on Beckhoff IPCs; on Windows CE it is disabled by default, but on other Windows images it is enabled by default. TwinCAT OPC UA Server is pre-installed on some Beckhoff hardware and may be enabled by default.

What this means

What could happen

An attacker can send specially crafted OPC UA requests to crash the diagnostics or OPC UA server, making it unresponsive and preventing remote monitoring and diagnostics. Real-time PLC operations continue unaffected, but remote visibility into system health is lost.

Who's at risk

Beckhoff IPC (industrial PC) and embedded control devices using TwinCAT OPC UA Server or IPC Diagnostics UA Server. This affects industrial automation engineers and plant operators who rely on remote diagnostics and OPC UA-based SCADA monitoring for water treatment, pumping stations, electrical substations, and similar infrastructure.

How it could be exploited

An attacker with network access to the OPC UA server port (typically TCP 4840 or 4841) sends a sequence of specially crafted requests. After several requests, the server becomes unresponsive to all clients, effectively a denial of service. No authentication is required.

Prerequisites

Network access to the OPC UA server TCP port (commonly port 4840 or 4841)
OPC UA server (TwinCAT OPC UA Server or IPC Diagnostics UA Server) must be enabled and running

Remotely exploitableNo authentication requiredLow complexity attackNo fix available for some versionsAffects monitoring and diagnostics visibility

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

IPC Diagnostics UA Server <=3.1.0.1≤ 3.1.0.1No fix (EOL)

TwinCAT OPC UA Server <=2.3.0.12≤ 2.3.0.12No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the IPC Diagnostics UA Server service using: Stop-Service -Force -Name DevMgrSvr-UA and Set-Service -Name DevMgrSvr-UA -StartupType Disabled

HARDENINGRestrict network access to the OPC UA server TCP port using firewall rules to allow only trusted engineering and monitoring stations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT OPC UA Server and IPC Diagnostics UA Server to the latest available version through Beckhoff support or Windows update channels

HOTFIXFor CX8091 devices running Windows CE, update to firmware version CX8091_CE600_LF_v356f_TC211R3_B2306_v2 or later

CVEs (1)

CVE-2020-12526

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8b102bf3-db8c-4878-8726-d4baa1ea10ef

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.