CVE-2020-27297
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected OPC UA Tunneller systems through a heap-based buffer overflow. Attackers can manipulate memory with controlled values to achieve remote code execution. Organizations using OPC UA Tunneller versions prior to 6.3.0.8233 are affected.
💻 Affected Systems
- OPC UA Tunneller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the OPC UA Tunneller, potentially pivoting to industrial control systems and causing operational disruption or safety incidents.
Likely Case
Remote code execution allowing attackers to install malware, exfiltrate sensitive industrial data, or disrupt OPC UA communications between industrial systems.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts from reaching vulnerable systems.
🎯 Exploit Status
The vulnerability requires network access to the OPC UA Tunneller service but no authentication. Exploitation requires crafting specific malicious packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.0.8233
Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-021-03
Restart Required: Yes
Instructions:
1. Download OPC UA Tunneller version 6.3.0.8233 or later from the vendor. 2. Stop the OPC UA Tunneller service. 3. Install the updated version. 4. Restart the service. 5. Verify the version is 6.3.0.8233 or higher.
🔧 Temporary Workarounds
Network Segmentation
allIsolate OPC UA Tunneller systems from untrusted networks using firewalls and network segmentation.
Access Control Lists
allImplement strict network access controls to limit which systems can communicate with OPC UA Tunneller services.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from untrusted networks
- Deploy intrusion detection/prevention systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the OPC UA Tunneller version in the application interface or configuration files. If version is below 6.3.0.8233, the system is vulnerable.Check Version:
Check application GUI or configuration files for version information (platform-specific)Verify Fix Applied:
Verify the installed version is 6.3.0.8233 or higher through the application interface or version command.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from OPC UA Tunneller service
- Memory access violations in system logs
- Failed connection attempts to unusual ports
Network Indicators:
- Unusual traffic patterns to OPC UA Tunneller ports (default 4840)
- Malformed OPC UA packets
- Connection attempts from unexpected sources
SIEM Query:
source="OPC_UA_Tunneller" AND (event_type="memory_violation" OR process_name="cmd.exe" OR process_name="powershell.exe")