BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology
Monitor6.5VDE-2022-003Mar 1, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Beckhoff OPC UA server and client components contain a null pointer dereference vulnerability that can be triggered when the component connects to a malicious OPC UA server. An attacker can craft a malicious OPC UA message that crashes the component. The vulnerability is exploitable when OPC UA connections use SecurityMode=None (unencrypted) and the client connects to an untrusted or attacker-controlled server. Vulnerable components include TcOpcUaServer, TcOpcUaClient, TcOpcUaGateway (and OPC UA functionality in EK9160, IPC Diagnostic UA Server, TF2110, and TS6100 systems).
What this means
What could happen
An attacker can crash Beckhoff OPC UA server or client components by tricking them into connecting to a malicious OPC UA server, disrupting communications between your SCADA/automation controllers and monitoring systems.
Who's at risk
Beckhoff industrial automation controllers and gateways that use OPC UA for communications, including EK9160 controllers, IPC diagnostic servers, TF6100 function blocks, and TS6100 embedded systems. This affects plants and utilities that rely on OPC UA for remote monitoring or integration with SCADA systems.
How it could be exploited
An attacker sets up a malicious OPC UA server or performs a man-in-the-middle attack on unencrypted OPC UA traffic. When a Beckhoff OPC UA client (such as an IPC or engineering workstation) connects to this server with SecurityMode=None (no encryption), the attacker sends a crafted message that triggers a null pointer dereference, crashing the component.
Prerequisites
- OPC UA client configured with SecurityMode=None (unencrypted connections)
- Client must initiate connection to the attacker-controlled or compromised OPC UA server
- Network path must exist from the affected device to the malicious server (local network or reachable via service discovery like mDNS)
Remotely exploitableLow complexity attackNo authentication required if SecurityMode=NoneAffects availability (denial of service via crash)No patch available for several affected products
Affected products (12)
2 with fix8 pending2 EOL
ProductAffected VersionsFix Status
IPC Diagnostic UA Server on windows images (MDP UA Server) <3.1.0.8<3.1.0.8No fix yet
EK9160 (TcOpcUaServer) <3.2.0.239<3.2.0.2393.2.0.239
TF2110 (Setup) <1.12.754.0<1.12.754.01.12.754.0
TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1<2.2.9.1No fix yet
TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454<1.5.8.454No fix yet
TF6100-OPC-UA-Server (TcOpcUaServer) <3.2.0.240<3.2.0.240No fix yet
TS6100-0030-OPC-UA (TcOpcUaClient) <2.2.9.1<2.2.9.1No fix yet
TS6100-0030-OPC-UA (TcOpcUaGateway) <1.5.8.454<1.5.8.454No fix yet
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDConfigure all OPC UA connections to use SecurityMode other than None (e.g., Sign, SignAndEncrypt)
HARDENINGRestrict OPC UA client connections to known, trusted servers only; disable automatic server discovery via mDNS, Local Discovery Server (LDS), or untrusted Global Discovery Servers (GDS)
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
EK9160 (TcOpcUaServer) <3.2.0.239
HOTFIXUpdate TcOpcUaServer to version 3.2.0.240 or later
TF6100-OPC-UA-Client (TcOpcUaClient) <2.2.9.1
HOTFIXUpdate TcOpcUaClient to version 2.2.9.1 or later
TF6100-OPC-UA-Gateway (TcOpcUaGateway) <1.5.8.454
HOTFIXUpdate TcOpcUaGateway to version 1.5.8.454 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: EK9160 (TcOpcUaServer) <3.2.0.239, TF2110 (Setup) <1.12.754.0. Apply the following compensating controls:
HARDENINGSegment OPC UA traffic on your network to prevent untrusted endpoints from reaching Beckhoff OPC UA components
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/08bc5b64-d1ec-463f-a9dc-4aba2aaa1873