Claroty Finds Critical Flaws in OPC Protocol Implementations
January 2021 by Claroty
The Open Platform Communications (OPC) network protocol is the middleman of operational technology (OT) networks, ensuring operability between industrial control systems (ICS) and proprietary devices, such as programmable logic controllers (PLCs) responsible for the correct operation of field devices. Having standardized communication protocols such as OPC and its specifications (OPC DA, AE, HDA, XML DA, DX, and OPC UA) guarantees that management and oversight of devices and processes can happen from a centralized server.
The Claroty Research Team decided that due to its popularity as an embedded protocol operating in devices across the ICS domain, OPC was worthy of analysis for security vulnerabilities and implementation issues. In the coming weeks, we will publish an in-depth report about OPC and its various flavors, but for today, we want to share some details about a number of vulnerabilities that emerged from our intensive investigation of the protocol.
Throughout 2020, Claroty privately disclosed critical flaws in several vendor implementations of the OPC protocol. Organizations that use these vendors’ products built on OPC are exposed to attacks that could result in denial-of-service conditions on devices, remote code execution, and information leaks of sensitive device data.
Three vendors—Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell—have provided fixes for their respective products. Users of affected products are urged to determine whether they are vulnerable and update immediately to the latest versions. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has also published advisories, warning users of the affected products about the risks. Update and mitigation information is also available in the advisories.
Here are the ICS-CERT advisories for each of the affected vendors:
● Softing Industrial Automation
● Kepware PTC
● Matrikon Honeywell
The following sections provide some details on vulnerabilities uncovered by The Claroty Research Team in Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.
These three products are integrated into many other vendors’ offerings as a third-party component. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. We believe these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets.
Here is a brief summary of each vulnerability uncovered by Claroty:
Softing Industrial Automation GmbH
Heap-Based Buffer Overflow (CWE-122)
Uncontrolled Resource Consumption (CWE-400)
All versions prior to the latest build, 4.47.0, are vulnerable.
Claroty discovered two vulnerabilities in the Softing OPC DA XML library’s handling of OPC DA XML. One vulnerability was found in its transport layer—specifically the HTTP SOAP server—while the other flaw targets XML data. Both are trivial to exploit and lead to denial-of-service conditions. All versions prior to the latest build of the library, version 4.47.0, are vulnerable.
The first is a heap-based buffer overflow vulnerability in the Softing OPC DA XML library that may allow an attacker to crash the Softing server and possibly execute code. ICS-CERT assigned this flaw a CVSS score of 9.8.
The issue lies in the fact that the Softing web server fails to limit SOAP header lengths, nor does it sanitize the values of SOAP headers as it parses them as OPC DA XML over SOAP.
Exceptionally long headers will cause the server to endlessly allocate memory; memory allocation does eventually fail because of resource consumption of heap memory. But the web server does not check the return code of the memory allocation and tries to copy our data to the returned pointer. But since the returned pointer is NULL, an attacker’s data is copied to uninitialized memory, eventually causing an access violation exception and a crash of the server.
The second flaw is a resource consumption bug, which occurs when an invalid value is used within certain parameters. That value will create a loop that runs indefinitely to cause high memory consumption and denial-of-service conditions.