CVE-2024-38095 Information

From OPC Labs Knowledge Base
Revision as of 11:06, 27 July 2024 by User (talk | contribs) (→‎Actions)

About the vulnerability

A vulnerability exists in the Systems.Formats.Asn1 NuGet package that affects the current (5.80.293.1) QuickOPC and Excel Connector version, and earlier versions. Our products reference the vulnerable package indirectly, through OpcFoundation.NetStandard.* packages.

Security advisory from https://github.com/advisories/GHSA-447r-wph3-92pm

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service.

We have assessed the impact of this vulnerability, which has to be done in context of the real usage. OPC UA applications receive X.509 certificates or their collections from two sources:

  • Certificates stores used by the application
  • Certificates passed to the application by communication peers (server to client, or client to server)

For certificates coming from the certificates stores, that attacker would already need to have full access to the certificate stores. Certificate stores must be adequately protected in OPC UA system. If the attacker has full access to the certificates stores, the system is already seriously compromised; this vulnerability provides a possible increase in scope which is, in our view, small in comparison to the seriousness of the pre-existing compromise.

For certificates passed to the application by communication peers, the highest risk would be for public-facing OPC UA servers, where there is little control over who attempts to connect to the server, and denial-of-service attacks are common. Use of public-facing OPC UA servers, without further measures in place (such as firewall whitelists), is however discouraged, and relatively rare in practice. QuickOPC and Excel Connector are not OPC UA servers, and therefore this high risk case does not apply to them.

The remaining case to be considered is that QuickOPC application or Excel Connector, in the role of an OPC UA client, attempts to connect to an OPC UA server and receives a malicious certificate from it. For this attack to work, either the OPC UA server needs to be already compromised, or the OPC UA client application needs to be tricked into connecting into an improper server. These are realistic scenarios. The risk they actually present needs to be evaluated in the context of your system.

You are not affected if you use OPC Classic or OPC XML only.

Actions

Current QuickOPC and Excel Connector version is 5.80.293.1, and it references OpcFoundation.NetStandard.* packages version 1.4.372.56, which transitively references the affected System.Formats.Asn1 package versions. The first version of OpcFoundation.NetStandard.* packages that references un-affected System.Formats.Asn1 package versions is 1.5.374.54.

QuickOPC and Excel Connector version 5.81 are in works and to be released before end of 2024. They will reference the unaffected OpcFoundation.NetStandard.* 1.5.374.54 or later.

There are no OpcFoundation.NetStandard.* versions in the 1.4.* range that reference the unaffected System.Formats.Asn1 package. Unfortunately, there are API and functionality changes between 1.4.* and 1.5.* versions of the OpcFoundation.NetStandard.* packages that prevent straightforward replacement of them in QuickOPC and Excel Connector 5.80.*, and issuing a simple "quick-fix". We will analyze the possibility of upgrading QuickOPC and Excel Connector 5.80.* to OpcFoundation.NetStandard.* 1.5.374.54, and information will be posted here when it becomes available.