BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology

MonitorCVSS 6.5VDE-2022-003Mar 1, 2022

Beckhoff

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Beckhoff OPC UA server and client components contain a null pointer dereference vulnerability that can be triggered when the component connects to a malicious OPC UA server. An attacker can craft a malicious OPC UA message that crashes the component. The vulnerability is exploitable when OPC UA connections use SecurityMode=None (unencrypted) and the client connects to an untrusted or attacker-controlled server. Vulnerable components include TcOpcUaServer, TcOpcUaClient, TcOpcUaGateway (and OPC UA functionality in EK9160, IPC Diagnostic UA Server, TF2110, and TS6100 systems).

What this means

What could happen

An attacker can crash Beckhoff OPC UA server or client components by tricking them into connecting to a malicious OPC UA server, disrupting communications between your SCADA/automation controllers and monitoring systems.

Who's at risk

Beckhoff industrial automation controllers and gateways that use OPC UA for communications, including EK9160 controllers, IPC diagnostic servers, TF6100 function blocks, and TS6100 embedded systems. This affects plants and utilities that rely on OPC UA for remote monitoring or integration with SCADA systems.

How it could be exploited

An attacker sets up a malicious OPC UA server or performs a man-in-the-middle attack on unencrypted OPC UA traffic. When a Beckhoff OPC UA client (such as an IPC or engineering workstation) connects to this server with SecurityMode=None (no encryption), the attacker sends a crafted message that triggers a null pointer dereference, crashing the component.

Prerequisites

OPC UA client configured with SecurityMode=None (unencrypted connections)
Client must initiate connection to the attacker-controlled or compromised OPC UA server
Network path must exist from the affected device to the malicious server (local network or reachable via service discovery like mDNS)

Remotely exploitableLow complexity attackNo authentication required if SecurityMode=NoneAffects availability (denial of service via crash)No patch available for several affected products

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (12)

2 with fix8 pending2 EOL

ProductAffected VersionsFix Status

IPC Diagnostic UA Server on windows images (MDP UA Server) <3.1.0.8<3.1.0.8No fix yet

EK9160 (TcOpcUaServer) <3.2.0.239<3.2.0.2393.2.0.239

TF2110 (Setup) <1.12.754.0<1.12.754.01.12.754.0

TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1<2.2.9.1No fix yet

TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454<1.5.8.454No fix yet

TF6100-OPC-UA-Server (TcOpcUaServer) <3.2.0.240<3.2.0.240No fix yet

TS6100-0030-OPC-UA (TcOpcUaClient) <2.2.9.1<2.2.9.1No fix yet

TS6100-0030-OPC-UA (TcOpcUaGateway) <1.5.8.454<1.5.8.454No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDConfigure all OPC UA connections to use SecurityMode other than None (e.g., Sign, SignAndEncrypt)

HARDENINGRestrict OPC UA client connections to known, trusted servers only; disable automatic server discovery via mDNS, Local Discovery Server (LDS), or untrusted Global Discovery Servers (GDS)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

EK9160 (TcOpcUaServer) <3.2.0.239

HOTFIXUpdate TcOpcUaServer to version 3.2.0.240 or later

TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1

HOTFIXUpdate TcOpcUaClient to version 2.2.9.1 or later

TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454

HOTFIXUpdate TcOpcUaGateway to version 1.5.8.454 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EK9160 (TcOpcUaServer) <3.2.0.239, TF2110 (Setup) <1.12.754.0. Apply the following compensating controls:

HARDENINGSegment OPC UA traffic on your network to prevent untrusted endpoints from reaching Beckhoff OPC UA components

CVEs (1)

CVE-2021-45117

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/08bc5b64-d1ec-463f-a9dc-4aba2aaa1873

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.