CVE-2024-38095 Information
About the vulnerability
A vulnerability exists in the Systems.Formats.Asn1 NuGet package that affects the current (5.80.293.1) QuickOPC and Excel Connector version, and earlier versions. Our products reference the vulnerable package indirectly, through OpcFoundation.NetStandard.* packages.
Security advisory from https://github.com/advisories/GHSA-447r-wph3-92pm
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service.
Assessment
We have assessed the impact of this vulnerability, which has to be done in context of the real usage. OPC UA applications receive X.509 certificates or their collections from two sources:
- Certificates stores used by the application
- Certificates passed to the application by communication peers (server to client, or client to server)
For certificates coming from the certificates stores, the attacker would already need to have full access to the certificate stores. Certificate stores must be adequately protected in OPC UA system. If the attacker has full access to the certificates stores, the system is already seriously compromised; this vulnerability provides a possible increase in scope which is, in our view, small in comparison to the seriousness of the pre-existing compromise.
For certificates passed to the application by communication peers, the highest risk would be for public-facing OPC UA servers, where there is little control over who attempts to connect to the server, and denial-of-service attacks are common. Use of public-facing OPC UA servers, without further measures in place (such as firewall whitelists), is however discouraged, and relatively rare in practice. QuickOPC and Excel Connector are not OPC UA servers, and therefore this high risk case does not apply to them.
The remaining case to be considered is that QuickOPC application or Excel Connector, in the role of an OPC UA client, attempts to connect to an OPC UA server and receives a malicious certificate from it. For this attack to work, either the OPC UA server needs to be already compromised, or the OPC UA client application needs to be tricked into connecting into an improper server. These are realistic scenarios. The risk they actually present needs to be evaluated in the context of your system.
You are not affected if you target .NET Framework only (as opposed to .NET 6 or 8).
You are not affected if you use OPC Classic or OPC XML only.
Actions
The QuickOPC and Excel Connector versions that are current at the time this article was written are 5.80.293.1, and they reference OpcFoundation.NetStandard.* packages version 1.4.372.56, which transitively reference the affected System.Formats.Asn1 package version. The first version of OpcFoundation.NetStandard.* packages that references un-affected System.Formats.Asn1 package versions is 1.5.374.54.
Effective with version 5.80.323.1, we have updated the QuickOPC and Excel products to reference OpcFoundation.NetStandard.* packages version 1.5.374.78, which resolves the vulnerability. See What's new in OPC Studio 2024.1.