OTPulse

Beckhoff: Stack Overflow and XXE vulnerability in various OPC UA products

Plan PatchCVSS 7.5VDE-2021-008Oct 21, 2024
Beckhoff
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Beckhoff TwinCAT OPC UA products contain stack overflow and information disclosure vulnerabilities in OPC UA protocol handling. Affected products include TwinCAT OPC UA Client System Manager Extension, Configurator (standalone and Visual Studio), Sample Client, Scope Server, and Target Browser OPC UA Extension. An attacker can send unauthenticated OPC UA protocol packets to trigger a stack overflow (causing denial of service) or force the product to disclose information. The vulnerabilities exist in multiple versions of TF6100, TS6100, TF3300, and TF6720.

What this means
What could happen
An attacker can crash OPC UA client or server products without authentication, causing loss of process visibility or control, or force information disclosure from the product without authorization.
Who's at risk
OPC UA client and server applications deployed in manufacturing and process automation environments using Beckhoff TwinCAT, including engineering workstations, runtime servers, and configuration tools. This affects facilities using TwinCAT for industrial automation, HMI, or control system integration.
How it could be exploited
An attacker with network access to the OPC UA port (typically 4840) can send specially crafted OPC UA protocol packets to trigger a stack overflow or information disclosure vulnerability. No authentication is required. The attacker could cause the application to crash (denial of service) or extract sensitive configuration or operational data from the product.
Prerequisites
  • Network access to the OPC UA port (typically TCP 4840) on the affected client or server product
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexityaffects process visibility and controlunauthenticated information disclosure possible
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (10)
10 with fix
ProductAffected VersionsFix Status
TwinCAT OPC UA Client System Manager Extension included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Configurator (Standalone) included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Configurator (Standalone) included in TS6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Configurator (Visual Studio) included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Sample Client included in TF6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT OPC UA Sample Client included in TS6100 <4.3.46.0<4.3.46.04.3.46.0
TwinCAT Scope Server in TF3300 <3.4.3144.11<3.4.3144.113.4.3144.11
TwinCAT Target Browser OPC UA Extension included in TF3300 <3.4.3144.11<3.4.3144.113.4.3144.11
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict inbound network access to OPC UA server products to only trusted client IP addresses using Windows Firewall or network ACLs
WORKAROUNDRestrict outbound network access from OPC UA client products to only trusted server IP addresses and ports using Windows Firewall or network ACLs
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT OPC UA products (TF6100, TS6100, TF3300, TF6720) to the fixed versions: TF6100 to 4.3.46.0 or later, TF3300 to 3.4.3144.11 or later, TF6720 to 1.1.68.0 or later
HOTFIXUpdate .NET Framework to the latest patched version available for your Windows system
Long-term hardening
0/1
HARDENINGIsolate OPC UA client and server products on the same network zone and protect communication channels with VPN or network segmentation to prevent unauthorized access to OPC UA ports
View full CERT@VDE advisory
API: /api/v1/advisories/146e1f58-da19-4eb8-9641-f69acf469c53

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Beckhoff: Stack Overflow and XXE vulnerability in various OPC UA products | CVSS 7.5 - OTPulse