CVE-2022-2561 Connectivity Explorer file vulnerability (ZDI-CAN-16596)

From OPC Labs Knowledge Base
Revision as of 11:48, 22 July 2022 by User (talk | contribs) (Created page with "Category:Security Bulletins = Summary = The Connectivity Explorer (part of QuickOPC) allows the user to save and load XML files with list of "Live Points". When opening th...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Summary

The Connectivity Explorer (part of QuickOPC) allows the user to save and load XML files with list of "Live Points". When opening the file, the Connectivity Explorer does not treat it as untrusted data. This allows the attacker to craft a special file which will then execute commands on the user's computer (the proof of concept file opens a "mspaint").

More Information

The vulnerability is not related to OPC communication.

The vulnerability does not affect user software created with QuickOPC, because it is only present in the Connectivity Explorer application, which is not redistributable.

The Connectivity Explorer does not associate a file extension with its files. Consequently, clicking/double-clicking on a malicious file does not trigger the vulnerability. The vulnerability can only be exploited by explicitly opening the file from the Connectivity Explorer application by the user.

Affected Versions

Affected are all Connectivity Explorer versions lower than 5.63.246 (QuickOPC 2022.1 build 246).

Resolution

The Connectivity Explorer now restricts the types that are allowed to load.

Acknowledgements

Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative.