CVE-2020-27295 – CVE-2020-27295 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-27295?

CVE-2020-27295 has a CVSS score of 7.5 (HIGH). CVE-2020-27295 is a denial-of-service vulnerability in the OPC UA Tunneller software where uncontrolled resource consumption allows attackers to crash the service. This affects industrial control systems using OPC UA Tunneller versions before 6.3.0.8233. Attackers can disrupt OPC UA communications between industrial devices and control systems.

📋 TL;DR

CVE-2020-27295 is a denial-of-service vulnerability in the OPC UA Tunneller software where uncontrolled resource consumption allows attackers to crash the service. This affects industrial control systems using OPC UA Tunneller versions before 6.3.0.8233. Attackers can disrupt OPC UA communications between industrial devices and control systems.

💻 Affected Systems

Products:

OPC UA Tunneller

Versions: All versions prior to 6.3.0.8233

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default configurations of OPC UA Tunneller. Industrial control systems using this software for OPC UA communications are vulnerable.

📦 What is this software?

Opc Ua Tunneller by Honeywell

View all CVEs affecting Opc Ua Tunneller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of OPC UA communications between industrial devices and control systems, potentially halting industrial processes or causing safety system failures.

🟠

Likely Case

Service crashes requiring manual restart, causing temporary disruption to industrial monitoring and control communications.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; service may restart automatically if configured.

🌐 Internet-Facing: MEDIUM - While OPC UA Tunneller is typically deployed internally, exposed instances could be targeted from the internet.

🏢 Internal Only: HIGH - Industrial networks often have flat architectures, allowing lateral movement once inside the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires network access to the OPC UA Tunneller service but no authentication. Exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.0.8233

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03

Restart Required: Yes

Instructions:

1. Download OPC UA Tunneller version 6.3.0.8233 or later from the vendor. 2. Stop the OPC UA Tunneller service. 3. Install the updated version. 4. Restart the service. 5. Verify the service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to OPC UA Tunneller to only trusted systems and networks.

Rate Limiting

all

Implement network-level rate limiting on connections to the OPC UA Tunneller service.

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with OPC UA Tunneller.
Deploy network monitoring and intrusion detection systems to detect and alert on potential exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check the OPC UA Tunneller version in the application interface or configuration files. If version is below 6.3.0.8233, the system is vulnerable.

Check Version:

Check application GUI or configuration files for version information. On Windows, check installed programs list. On Linux, check package manager or application logs.

Verify Fix Applied:

Verify the OPC UA Tunneller version shows 6.3.0.8233 or higher and test service functionality with normal OPC UA communications.

📡 Detection & Monitoring

Log Indicators:

Unusual connection spikes to OPC UA Tunneller
Service crash/restart events in system logs
High resource consumption alerts

Network Indicators:

Abnormal traffic patterns to OPC UA Tunneller port (typically 4840)
Multiple rapid connection attempts from single source

SIEM Query:

source="OPC_UA_Tunneller" AND (event="crash" OR event="restart") OR dest_port=4840 AND connection_count>1000

📊 Metadata

CVE ID: CVE-2020-27295

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27295, you might also want to check these: