At least nine vulnerabilities in the approach three leading IoT vendors used to implement the open platform communication (OPC) network protocol created conditions that could potentially expose product users to denial-of-service (DoS) attacks, remote code execution, and sensitive data leakage.
The three IoT vendors – Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell – all provided fixes for their respective products after security firm Claroty privately disclosed them during 2020.
OPC functions as the middleman of operational technology (OT) networks, ensuring operability between industrial control systems (ICS) and proprietary devices, such as programmable logic controllers (PLCs) responsible for the correct operation of field devices. Standardized communication protocols such as OPC and its specifications guarantee that management and oversight of devices and processes can happen from a centralized server.
The researchers urged vulnerable users to update immediately to the latest versions if the affected products. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) also has published advisories, warning users of the affected products about the risks and offering update and mitigation information.
Claroty researchers cautioned the attack surfaces will expand and said organizations must examine their respective implementations for weaknesses. Meanwhile, the security community must also support enhanced security and research into undiscovered vulnerabilities and protocol shortcomings.
Today’s report comes as a significant reminder that industrial control systems rely on software and these systems are open to abuse by cybercriminals, said Joseph Carson, chief security scientist and Advisory chief information security officer at Thycotic.
“For OPC software this means it must be hardened and kept on segmented secure networks with strong privileged access security controls,” Carson said. “A defense-in-depth strategy for ICS is vital to protecting them against unauthorized access so that even when security vulnerabilities are exposed the risks on abusing them is very limited.”
The vulnerabilities discovered include the following:
Softing Industrial Automation GmbH
CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)
CVE-2020-27265: Stack-based buffer overflow (CWE-121)
CVE-2020-27263: Heap-based buffer overflow (CWE-122)
CVE-2020-27267: Use-after free (CWE-416)
Matrikon Honeywell OPC DA Tunneler
CVE-2020-27297: Heap overflow due to integrer overflow (CWE-122)
CVE-2020-27299: Information leak due to OOB read (CWE-125)
CVER-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
CVE-2020-27295: Uncontrolled resource consumption (CWE-400)