Login Sign Up

CVE-2021-27432

7.5 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability in OPC Foundation UA .NET Standard and Legacy libraries allows attackers to trigger uncontrolled recursion leading to stack overflow. It affects industrial control systems using vulnerable OPC UA implementations, potentially causing denial of service or remote code execution.

💻 Affected Systems

Products:
  • OPC Foundation UA .NET Standard
  • OPC UA .NET Legacy
Versions: Versions prior to 1.4.365.48
Operating Systems: Windows, Linux, Any OS running .NET
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using vulnerable OPC UA libraries, particularly industrial control systems and SCADA environments.

📦 What is this software?

Ua .net Legacy by Opcfoundation

View all CVEs affecting Ua .net Legacy →

Ua .net Standard Stack by Opcfoundation

View all CVEs affecting Ua .net Standard Stack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, process disruption in industrial environments, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing OPC UA server crashes, disrupting industrial processes and communication between control systems.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only causing service restarts.

🌐 Internet-Facing: HIGH - OPC UA servers exposed to internet are directly vulnerable to remote exploitation.
🏢 Internal Only: MEDIUM - Internal networks still vulnerable to insider threats or lateral movement attacks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted OPC UA messages to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.365.48 or later

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03

Restart Required: Yes

Instructions:

1. Update OPC UA .NET Standard to version 1.4.365.48 or later. 2. Recompile and redeploy applications using the updated library. 3. Restart affected OPC UA services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate OPC UA servers from untrusted networks using firewalls

Message Size Limiting

all

Configure OPC UA servers to limit maximum message size

🧯 If You Can't Patch

  • Implement strict network access controls to limit OPC UA traffic to trusted sources only
  • Deploy intrusion detection systems to monitor for abnormal OPC UA message patterns

🔍 How to Verify

Check if Vulnerable:

Check OPC UA library version in application dependencies or installed packages

Check Version:

Check application configuration or package manager for OPC.UA.Core version

Verify Fix Applied:

Verify OPC UA .NET Standard version is 1.4.365.48 or higher

📡 Detection & Monitoring

Log Indicators:

  • OPC UA service crashes
  • Stack overflow errors in application logs
  • Abnormal termination of OPC UA processes

Network Indicators:

  • Unusually large OPC UA messages
  • Rapid sequence of OPC UA requests
  • Traffic from unexpected sources to OPC UA ports (typically 4840)

SIEM Query:

source="opcua" AND (event_type="crash" OR error="stack overflow")

📊 Metadata

CVE ID: CVE-2021-27432
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-674
Published: May 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27432, you might also want to check these:

CVE-2023-51803 9.8

This vulnerability in Heimdall allows attackers to upload malicious icons containing PHP code, poten...

Same vulnerability type (CWE-674)
CVE-2024-37973 8.8

CVE-2024-37973 is a Secure Boot security feature bypass vulnerability that allows attackers to circu...

Same vulnerability type (CWE-674)
CVE-2024-20311 8.6

An unauthenticated remote attacker can send specially crafted LISP packets to vulnerable Cisco devic...

Same vulnerability type (CWE-674)