SECURITYWEEK NETWORK: © Cybersecurity News © Infosec Island ° Vi ivents Security Experts: WRITE FOR US SECURITY WEEK CYBERSECURITY NEWS, INSIGHTS & ANALYSIS © Subscribe © 2021 CISO Forum files! Sta. + Malware & Threats © Vulnerabilities Email Security. © Virus & Malware © Lol Security, e Threat Intelligence © Endpoint Security, ¥ Cybercrime © Cyberwarfare Fraud & Identity Theft © Phishing © Malware © Tracking & Law Enforcement ¥ Mobile & Wireless Mobile Security © Wireless Security ¥ Risk & Compliance e Risk Management © Compliance SAHAPrivacy Architecture joud ¢ [dentity & Ace: © Data Protection Network Security © Application Security. ¥ Security Strategy © Risk Management © Security Architecture e Disaster Recovery & Certification a Many Vulnerabilities Found in OPC UA Industrial Protocol By Eduard Kovacs on May 10, 2018 Researchers at Kaspersky Lab have identified a significant number of vulnerabilities in the OPC UA protocol, including flaws that could, in theory, be exploited to cause physical damage in industrial environments. Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IloT) and smart city systems. Researchers at Kaspersky Lab, which is a member of the OPC Foundation consortium, have conducted a detailed analysis of OPC UA and discovered many vulnerabilities, including ones that can be exploited for remote code execution and denial-of-service (DoS) attacks. There are several implementations of OPC UA, but experts focused on the OPC Foundation’s implementation - for which source code is publicly available - and third-party applications using the OPC FO UN DATION UA Stack. The Industrial Interoperabilty Standard™ A total of 17 vulnerabilities have been identified in the OPC Foundation’s products and several flaws in commercial applications that use these products. Most of the issues were discovered through fuzzing. Learn More at Securit Week's 2018 ICS Cyber Security Conference Exploitation of the vulnerabilities depends on how the targeted network is configured, but in most cases, it will require access to the local network, Kaspersky researchers Pavel Cheremushkin and Sergey Temnikov told SecurityWeek in an interview at the company’s Security Analyst Summit in March. The experts said they had never seen a configuration that would allow attacks directly from the Internet.‘An attacker first has to identify a service that uses OPC UA, and then send it a payload that triggers a DoS condition or remote code execution. Remote code execution vulnerabilities can be leveraged by attackers to move laterally within the network, control industrial processes, and to hide their presence. However, DoS attacks can have an even more significant impact in the case of industrial systems. “In industrial systems, denial-of-service vulnerabilities pose a more serious threat than in any other software,” Cheremushkin and Temnikov wrote in a report published on Thursday. “Denial-of-service conditions in telemetry and telecontrol systems can cause enterprises to suffer financial losses and, in some cases, even lead to the disruption and shutdown of the industrial process. In theory, this could cause harm to expensive equipment and other physical damage.” All the security holes were reported to the OPC Foundation and their respective developers and patches were released. Applying the patches is not difficult considering that the OPC Stack is a DLL file and updates are performed simply by replacing the old file with the new one. The OPC Foundation has released advisories for the security holes discovered by Kaspersky researchers, but grouped all the issues under two CVE identifiers: CVE-2017-17433 and CVE-2017-12069. The latter also impacts automation and power distribution products from Siemens, which has also published an advisory. “Based on our assessment, the current OPC UA Stack implementation not only fails to protect developers from trivial errors but also tends to provoke errors - we have seen this in real-world examples. Given today’s threat landscape, this is unacceptable for products as widely used as OPC UA. And this is even less acceptable for products designed for industrial automation systems,” researchers said. Related: Fuzzing Tests Show ICS Protocols Least Mature sa luard Kovacs ((@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Previous Columns by Eduard Kovacs: Gartner: Global Security Spending Will Reach $150 Billion in 2021 OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ‘New Bluetooth Vulnerabilities Could Expose Many Devices to Impersonation Attacks U.S. Government Asks Victims of 2017 EtherDelta Hack to Come Forward ICS Vendors Assessing Impact of New OPC UA Vulnerabilities Viral Event sponsored links = Sec Summit Online Even 2021 1CS Cyber Security Conference JUSA (Tybrid- Ost 25.28 2004-0180 Fonum: Seer 2.22 A Vial Eset OT ICSIOT NEWS & INDUSTRY Security Architecture Vulnerabilities {Search Get the Daily BriefingBRIEFING Business Email Address (Subscribe | ‘* Gartner: Global Security Spending Will Reach $150 Billion in 2021 + OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ys Personal Information Compromised in Ransomware At + Report Highlights Massive Scale of Automated Cyberattack: ‘© Operating in the Shadows: US Cyber Command ‘+ New Bluetooth Vulnerabilities Could Expose Many Devices to Impersonation Attacks ‘+ Apple Patches macOS Big Sur Vulnerability Exploited by Malware ‘+ Cyberattacks: Bigger, Smarter, Faster ‘© Hack, Disinform, Deny: Russia's Cybersecurity StrategyPopular Topics /bersecurity News © IT Security News © Risk Management Cybercrime © Cloud Security, © Application Security e Smart Device Security Security Community o IT Security Newsletters ¢ ICS Cyber Security Conference Stay Intouch Twitter © Eacebook © LinkedIn Group Cyber Weapon Discussion Group o RSS Feed ¢ Submit Tip © Security Intelligence Group About SecurityWeek o Team © Advertising © Event Sponsorships © Writing Opportunities Feedback Contact UsDeLay Copyright © 2021 Wired Business Media. All Rights Reserved. Privacy Policy.