Team82 Research
OPC UA is the standard unified communication protocol in industrial environments
Proprietary field devices and ICS/SCADA systems that previously could not exchange data on the OT network now do so over OPC UA, which is now supported by dozens of vendors across industries
Team82 has compiled a comprehensive guide to OPC UA, examining its history, security features, and attack surface
Part 1, OPC UA Uncovered: History of the OPC UA Protocol is available today
In the coming weeks, we will publish additional installations of this guide, including disclosures of new vulnerabilities, details on some of the tools we use—including an OPC UA network fuzzer, and an exploitation framework
OPC UA (Open Protocol Communication Unified Architecture) is today the standard protocol for unified communications in industrial environments. As more vendors build new products that implement OPC UA—or retrofit older devices to support the protocol—it becomes one of the few mutually understood and adopted technologies in OT.
OPC UA solved critical interoperability issues between field devices and ICS/SCADA systems that previously could not exchange data. Developed by the OPC Foundation, OPC UA is the standard protocol over which engineers and operators can, from a single server, communicate with and manage physical processes on the OT network. The fact that OPC UA is platform independent allows devices from different vendors to seamlessly communicate.
To achieve this goal, a few components were introduced: the OPC server, OPC client, and the OPC gateway. The OPC server contains many protocol converters that are capable of communicating with devices, such as PLCs, using their proprietary protocols, including Modbus, EtherNet/IP, S7, and more. The OPC server will constantly query devices for specific predefined memory values that are known as tags or points, and store them in a special database. Later, an OPC client, such as an HMI, can communicate with the server using the generic OPC protocol to get the values of these tags/points.
Team82 has invested considerable time and resources to research the security of the OPC UA protocol. Since 2020, we’ve disclosed more than two dozen vulnerabilities in OPC UA products, or in the protocol stack itself. We’ve researched clients, servers, and other software that supports OPC UA, and our work has helped improve the security of the overall network protocol stack. In addition, we also made freely available a network fuzzer used to find a number of zero-day vulnerabilities in OPC UA products in preparation for the Pwn2Own Miami competition in 2022 and 2023.
Today, we’re publishing the first in a multipart series of blogs that we hope will be the ultimate resource for OT engineers, asset operators, and asset owners intimately involved in OT network security, and specifically, OPC UA.
Throughout the series we plan to share our research into the OPC UA attack surface, and provide extensive background on the following:
The inner workings of the protocol
Recap OPC UA history
Explain OPC UA’s security features
Cover the OPC-UA attack surface
Disclose some information about new vulnerabilities
Describe new attack techniques targeting OPC UA
Introduce a new OPC UA exploit framework and fuzzers.
Our goal is to publish and maintain a useful OPC UA security guide, one that can be referenced often in order to minimize the risk to OT networks, and reduce the potential for damaging remote code execution or denial-of-service attacks.
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability.
The specific flaw exists within the implementation of the ImportXML function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
CVSS V3: 6.5
CWE-22 Path Traversal
A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user.
CVSS V3: 8.8
CWE-89 SQL Injection:
An SQL injection vulnerability was discovered in the /dataset/data/{id} API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the filter parameter.
Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations.
CVSS V3: 6.5
CWE-89 SQL Injection:
A SQL injection vulnerability was discovered in the nameFilter function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators.
CVSS V3: 6.5
CWE-89 SQL Injection:
A SQL injection vulnerability was discovered in the /display/map API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the bounds parameter.
CVSS V3: 6.5