OTPulse
FeedAboutContact

Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server

Monitor6.5VDE-2021-051Nov 4, 2021
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

The TwinCAT OPC UA Server contains a relative path traversal vulnerability in its configuration interface nodes that allows file creation and deletion outside intended directories. Administrators (or unauthenticated users if anonymous access is enabled) can remotely create, modify, and delete arbitrary files on the host system, potentially disrupting operations or compromising system integrity.

What this means
What could happen
An administrator (or any user if anonymous access is enabled) could create and delete arbitrary files on the system running the TwinCAT OPC UA Server, potentially disrupting operations, corrupting configuration files, or affecting other systems sharing the host.
Who's at risk
Beckhoff TwinCAT automation controllers (TF6100 and TS6100 series) running TwinCAT OPC UA Server. Affects facility managers and automation engineers who use OPC UA for remote monitoring and configuration, particularly in manufacturing, utilities, and process control environments.
How it could be exploited
An attacker with network access to the OPC UA server port sends requests to specific server configuration interface nodes to perform file operations. If the server is misconfigured to allow anonymous access, no credentials are needed. The attacker can create, modify, or delete files outside the intended restricted directories.
Prerequisites
  • Network access to the TwinCAT OPC UA Server port
  • Administrator credentials (unless anonymous access is enabled)
  • Knowledge of the vulnerable OPC UA node paths
remotely exploitablehigh complexity attack (requires admin credentials or misconfiguration)affects system availability and integritycould enable lateral movement or data corruption
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
TwinCAT OPC UA Server in TF6100 < 4.3.48.0<3.2.0.1943.2.0.194
TwinCAT OPC UA Server in TS6100 < 4.3.48.0<3.2.0.1943.2.0.194
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to OPC UA server configuration interface nodes (TcOpcUAServer) using firewall rules to allow only trusted administrative clients
HARDENINGDisable anonymous access to the TwinCAT OPC UA Server and require authenticated connections only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT OPC UA Server to version 3.2.0.194 or later
HARDENINGImplement OPC UA client authentication and authorization controls per Beckhoff guidance at https://infosys.beckhoff.com/content/1033/tcopcuaserver/5930038411-1.html
View full CERT@VDE advisory
API: /api/v1/advisories/e5347309-dfe3-4bb0-8c82-22e00e325176
Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server | CVSS 6.5 - OTPulse