New Significant Vulnerabilities Identified in the OPC Protocol

Hello All. Researchers as Claroty, well kn0wn OT passive monitoring vendor have disclosed multiple critical vulnerabilities in vendor implementations of the Open Platform Communications (OPC) network protocol.

What is the OPC Protocol Anyway?

OPC communicates information from a data source such as a server to any client application in a standard way without requiring the application to have any specific knowledge about the data source such as its communication protocols. When diverse OT systems are required to communicate with each other a separate protocol or method is required for each device. As a solution the OPC (linking and correlating objects in process control) standard was developed.

OPC is a communication standard known as the OLE / COM (object Linking & Embedding / component object model) standard, based on Microsoft’s object-oriented technology aimed at integration between different applications, to make the connection between different units in automation systems fast and reliable.

Claroty’s Findings

The vulnerabilities affect the following vendors and products: Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.

These three products are integrated into many other vendors’ offerings as a third-party component. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. We believe these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets. Here is a list of the vulnerability CVEs:

Softing Industrial Automation GmbH

  • CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
  • CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)

Kepware PTC

  • CVE-2020-27265: Stack-based buffer overflow (CWE-121)
  • CVE-2020-27263: Heap-based buffer overflow (CWE-122)
  • CVE-2020-27267: Use-after-free (CWE-416)

Matrikon Honeywell OPC DA Tunneler

  • CVE-2020-27297: Heap overflow due to integer overflow (CWE-122)
  • CVE-2020-27299: Information leak due to OOB read (CWE-125)
  • CVE-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
  • CVE-2020-27295: Uncontrolled resource consumption (CWE-400)

Claroty are urging users of these products to upgrade to the latest version to mitigate these vulnerabilities.