CVE-2020-27267 – A heap-based buffer overflow vulnerability in m... (How to Fix)

Q: What is the severity of CVE-2020-27267?

CVE-2020-27267 has a CVSS score of 9.1 (CRITICAL). A heap-based buffer overflow vulnerability in multiple industrial OPC UA server products allows attackers to crash servers and potentially leak data by sending specially crafted OPC UA messages. This affects numerous industrial automation and SCADA systems from multiple vendors including KEPServerEX, ThingWorx, Rockwell Automation, GE Digital, and Software Toolbox. The vulnerability is particularly concerning for industrial control systems where availability is critical.

📋 TL;DR

A heap-based buffer overflow vulnerability in multiple industrial OPC UA server products allows attackers to crash servers and potentially leak data by sending specially crafted OPC UA messages. This affects numerous industrial automation and SCADA systems from multiple vendors including KEPServerEX, ThingWorx, Rockwell Automation, GE Digital, and Software Toolbox. The vulnerability is particularly concerning for industrial control systems where availability is critical.

💻 Affected Systems

Products:

KEPServerEX
ThingWorx Kepware Server
ThingWorx Industrial Connectivity
OPC-Aggregator
Rockwell Automation KEPServer Enterprise
GE Digital Industrial Gateway Server
Software Toolbox TOP Server

Versions: KEPServerEX v6.0 to v6.9, ThingWorx Kepware Server v6.8 and v6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), GE Digital Industrial Gateway Server v7.68.804 and v7.66, Software Toolbox TOP Server all 6.x versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products use OPC UA protocol and are vulnerable when OPC UA endpoints are enabled

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and disruption of industrial operations

🟠

Likely Case

Denial of service through server crashes and potential information disclosure via memory leaks

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though service disruption remains possible

🌐 Internet-Facing: HIGH - Directly exposed OPC UA endpoints can be exploited remotely without authentication

🏢 Internal Only: MEDIUM - Requires internal network access but exploitation is still possible from compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific OPC UA messages but does not require authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: KEPServerEX v6.10+, ThingWorx Kepware Server v6.10+, GE Digital Industrial Gateway Server v7.70+, Software Toolbox TOP Server v6.10+

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02

Restart Required: Yes

Instructions:

1. Identify affected products and versions. 2. Download and apply vendor-provided patches. 3. Restart affected services. 4. Verify patch installation and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate OPC UA servers from untrusted networks using firewalls

Disable OPC UA Endpoints

all

Disable OPC UA protocol if not required for operations

🧯 If You Can't Patch

Implement strict network access controls to limit OPC UA traffic to trusted sources only
Deploy intrusion detection systems to monitor for anomalous OPC UA traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check product version against affected versions list and verify OPC UA endpoints are enabled

Check Version:

Check via product administration interface or vendor-specific version commands

Verify Fix Applied:

Verify installed version is patched version or higher and test OPC UA connectivity

📡 Detection & Monitoring

Log Indicators:

OPC UA server crash logs
Memory access violation errors
Unusual OPC UA connection attempts

Network Indicators:

Malformed OPC UA packets
Unusual traffic patterns to OPC UA ports (typically 4840)

SIEM Query:

source="opc-ua-server" AND (event_type="crash" OR error="buffer_overflow" OR error="memory_violation")

📊 Metadata

CVE ID: CVE-2020-27267

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-416

Published: January 14, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27267, you might also want to check these: