[NB07-22] Multiple vulnerabilities in NETxEIB OPC server

2007-03-2400:00:00

vulners.com

JSON

Multiple vulnerabilities in NETxEIB OPC server

OPC servers provide a standard way to interoperate automation and control
systems, bridging data from several industrial protocols such as DNP3,
MODBUS, etc. to a more standard data access interface. They are often used
in SCADA systems to consolidate network device information in a single
point; as such OPC servers are usually considered critical applications.

NETxAUTOMATION commercialises an OPC Server
("NETxEIB.MP.OPEN.OPC.Server.3.0"), more information is available at
http://www.netxautomation.com/.

ANALYSIS

The product presents various security vulnerabilities, allowing an attacker
with access to the OPC interface to arbitrarily read and write the process
memory, potentially leading to the execution of attacker-provided code.

The vulnerabilities reside in the server implementation of the following OPC
Data Access interface methods:

IOPCSyncIO::Read
IOPCSyncIO::Write
IOPCServer::AddGroup
IOPCServer::RemoveGroup
IOPCCommon::SetClientName
IOPCGroupStateMgt::CloneGroup

By providing specially crafted OPC handles the attacker can force the server
to access arbitrary memory, both in read and write operations which can be
potentially leveraged to execute arbitrary code in the OPC server.

VULNERABLE VERSIONS

The vulnerability has been verified to be present in the following version
of the server:

Server name: NETxEIB MP Open OPC Server 3.0
OPC Server CLSID: {AAEEF077-F162-4A1F-AD88-C37F35EA4030}
ProgID: NETxEIB.MP.OPEN.OPC.Server.3.0
Version: 3.0.125
OS: Windows XP

The vulnerability was discovered during an OPC server group assessment for a
customer and is not known to be publicly exploited.