Claroty identifies embedded OPC protocol operating in devices across the ICS domain

Operational technology (OT) company Claroty privately disclosed throughout last year critical flaws in equipment from vendors using the Open Platform Communications (OPC) protocol. These are exposed to attacks that could result in denial-of-service conditions on devices, remote code execution, and information leaks of sensitive device data.

The Claroty researchers decided that due to its popularity as an embedded protocol operating in devices across the industrial control systems (ICS) domain, OPC was worthy of analysis for security vulnerabilities and implementation issues, wrote Uri Katz, in a Claroty blog post. Katz was credited for reporting these vulnerabilities to the Cybersecurity and Infrastructure Agency (CISA) and relevant companies.

Users of Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell

products have been urged to determine whether they are vulnerable and update immediately to the latest versions. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has also published advisories, warning users of the risks. Update and mitigation information is also available in the advisories.

OPC is the communications hub of an OT network, centrally supporting communications between proprietary devices that otherwise would be unable to exchange information. It comes deeply embedded in many product configurations and OPC-centered development and usage. Also contributing to the extensive use of the OPC protocol is the fact that many vendors are already connecting parts of their networks that communicate using OPC to the cloud, Katz said. This introduces industrial IoT devices into the equation, those that both receive and exchange device and process information, he added.

Attack surfaces, therefore, will expand, and organizations must examine their respective implementations for weaknesses, Katz pointed out.

The OPC network protocol is the middleman of OT networks, ensuring operability between ICS and proprietary devices, such as programmable logic controllers (PLCs) responsible for the correct operation of field devices, Katz said. Having communication protocols such as OPC and its specifications like OPC DA, AE, HDA, XML DA, DX, and OPC UA standardized, also guarantees that management and oversight of devices and processes can happen from a centralized server, he added.

Claroty discovered two vulnerabilities in the Softing OPC DA XML library’s handling of OPC DA XML. One vulnerability was found in its transport layer, specifically the HTTP SOAP server, while the other flaw targets XML data. Both are trivial to exploit and lead to denial-of-service conditions. All versions prior to the latest build of the library, version 4.47.0, are vulnerable.

The first is a heap-based buffer overflow vulnerability in the Softing OPC DA XML library that may allow an attacker to crash the Softing server and possibly execute code. ICS-CERT assigned this flaw a CVSS score of 9.8. The issue lies in the fact that the Softing web server fails to limit SOAP header lengths, nor does it sanitize the values of SOAP headers as it parses them as OPC DA XML over SOAP.

Exceptionally long headers will cause the server to endlessly allocate memory; memory allocation does eventually fail because of resource consumption of heap memory, Katz pointed out. But the web server does not check the return code of the memory allocation and tries to copy data to the returned pointer. But since the returned pointer is NULL, an attacker’s data is copied to uninitialized memory, eventually causing an access violation exception and a crash of the server, he added.

The second flaw is a resource consumption bug, which occurs when an invalid value is used within certain parameters. That value will create a loop that runs indefinitely, causing high memory consumption and denial-of-service conditions, Katz added.

KEPServerEX v6.0 to v6.9 are vulnerable, as are ThingWorx Kepware Server v6.8 and v6.9 and all versions of ThingWorx industrial connectivity and OPC-Aggregator, Katz noted. Claroty uncovered OPC UA vulnerabilities in Kepware PTC’s ThingWorx Edge and KEPServerEX servers, which lead to denial-of-service conditions, sensitive data leaks, and potentially, code execution. Kepware’s OPC protocol stack is embedded as a third-party component in many products across different industries.

The stack-based overflow vulnerability was found in the ThingWorx Edge Server. Attackers could crash, and under certain conditions, potentially execute code on a vulnerable server remotely and without authentication. Claroty researchers found the flaw in the logic for decoding OPC strings that allows an attacker to copy a string longer than 1024 bytes without allocating more memory, the company said. This flaw can be triggered pre-authentication and will allow for data on the stack after the first 1024 bytes to be overwritten.

Claroty researchers also found an information leak resulting from a heap out-of-bounds read, also in the ThingWorx Edge Server’s string decoding flow, Katz added. This bug affects Windows and Linux versions of the server and could also crash the machine. The use-after-free flaw, another pre-authentication flaw, was found in the Kepware KEPServerEX Edge Server transport layer.

“We investigated the trace and determined that an event for the connection is raised after the connection is closed, and when the program tries to use the freed connection object, it crashes,” Katz wrote.

Claroty also found multiple vulnerabilities in different Matrikon OPC Tunneller components, including a critical (9.8 CVSS) heap overflow flaw that could allow for remote code execution on affected machines, according to Katz. In addition, other conditions could be exploited that would result in denial-of-service attacks on devices because of excessive  consumption or improper checks. All versions prior to 6.3.0.8233 of the Matrikon OPC UA Tunneller are vulnerable, and Matrikon recommends that its users update to version 6.3.0.8233.

Claroty advised users to upgrade to the latest version of each of these products to close down these vulnerabilities. In the meantime, it’s important to continue to research and address vulnerabilities in OT communications protocols, such as OPC.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.