Beckhoff: Stack Overflow and XXE vulnerability in various OPC UA products
Plan Patch7.5VDE-2021-008Oct 21, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
TwinCAT OPC UA products contain a stack overflow vulnerability and an XXE (XML external entity) vulnerability in the OPC UA protocol handler. An attacker can send unauthenticated OPC UA packets to cause denial of service (crashing the product) or to disclose sensitive information from process configuration or data. The affected products include OPC UA Client System Manager Extension, OPC UA Configurator (Standalone and Visual Studio variants), OPC UA Sample Client, Scope Server, and Target Browser OPC UA Extension across TF6100, TF3300, TS6100, and TF6720 product families.
What this means
What could happen
An attacker on the network can crash TwinCAT OPC UA tools without credentials, causing temporary loss of engineering or monitoring functions. They can also extract sensitive information from the process or configuration data accessible through OPC UA.
Who's at risk
Manufacturing and automation facilities using Beckhoff TwinCAT engineering tools should care. Specifically: engineers and automation technicians using TwinCAT OPC UA clients and configurators for PLC/controller programming and monitoring; operators using Target Browser for device visibility; anyone deploying TwinCAT Scope Server for real-time diagnostics. This affects Beckhoff industrial PC controllers and engineering workstations running TF6100, TF3300, TS6100, or TF6720 products.
How it could be exploited
An attacker sends specially crafted OPC UA protocol packets to a TwinCAT OPC UA client or server over the network. The stack overflow causes the affected tool to crash, or the XXE vulnerability allows the attacker to read sensitive data from the engineering workstation or controller. No authentication or user interaction is required.
Prerequisites
- Network connectivity to the OPC UA port (default 4840 or custom configured port) of the affected TwinCAT product
- Product running with OPC UA client or server functionality enabled
Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (7.5)Affects both availability and confidentiality
Affected products (10)
10 with fix
ProductAffected VersionsFix Status
TwinCAT OPC UA Client System Manager Extension included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Configurator (Standalone) included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Configurator (Standalone) included in TS6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Configurator (Visual Studio) included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Sample Client included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Sample Client included in TS6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT Scope Server in TF3300 <3.4.3144.11<3.4.3144.11 3.4.3144.11
TwinCAT Target Browser OPC UA Extension included in TF3300 <3.4.3144.11<3.4.3144.11 3.4.3144.11
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict network access to OPC UA ports on all affected products using Windows Firewall or network segmentation
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
TwinCAT OPC UA Configurator (Standalone) included in TF6100 <4.3.46.0
HOTFIXUpdate TwinCAT OPC UA Configurator (Standalone and Visual Studio, TF6100 and TS6100) to version 4.3.46.0 or later
All products
HOTFIXUpdate TwinCAT OPC UA Client System Manager Extension (TF6100) to version 4.3.46.0 or later
HOTFIXUpdate TwinCAT OPC UA Sample Client (TF6100 and TS6100) to version 4.3.46.0 or later
HOTFIXUpdate TwinCAT Scope Server (TF3300) to version 3.4.3144.11 or later
HOTFIXUpdate TwinCAT Target Browser OPC UA Extension (TF3300, TF6100, TF6720) to versions 3.4.3144.11, 4.3.46.0, or 1.1.68.0 respectively
HOTFIXUpdate .NET Framework to the latest supported version
Long-term hardening
0/1HARDENINGIsolate OPC UA client and server products to a dedicated network zone or VPN channel to prevent unauthorized connections
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/146e1f58-da19-4eb8-9641-f69acf469c53