CVE-2021-40872 – This vulnerability in Softing Industrial Automa... (How to Fix)

Q: What is the severity of CVE-2021-40872?

CVE-2021-40872 has a CVSS score of 7.5 (HIGH). This vulnerability in Softing Industrial Automation uaToolkit Embedded allows remote attackers to cause denial of service (DoS) by crashing the OPC/UA server process or bypass authentication to login as anonymous users. It affects industrial automation systems using affected versions of the uaToolkit Embedded library. The issue stems from an invalid type cast when processing crafted messages.

📋 TL;DR

This vulnerability in Softing Industrial Automation uaToolkit Embedded allows remote attackers to cause denial of service (DoS) by crashing the OPC/UA server process or bypass authentication to login as anonymous users. It affects industrial automation systems using affected versions of the uaToolkit Embedded library. The issue stems from an invalid type cast when processing crafted messages.

💻 Affected Systems

Products:

Softing Industrial Automation uaToolkit Embedded

Versions: All versions before 1.40

Operating Systems: All platforms running uaToolkit Embedded

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any OPC/UA server built with vulnerable uaToolkit Embedded library versions.

📦 What is this software?

Smartlink Hw Dp by Softing

View all CVEs affecting Smartlink Hw Dp →

Uatoolkit Embedded by Softing

View all CVEs affecting Uatoolkit Embedded →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access as anonymous users to industrial control systems, potentially manipulating processes or causing system crashes that disrupt critical operations.

🟠

Likely Case

Denial of service attacks that crash OPC/UA servers, requiring manual restart and causing temporary operational disruption in industrial environments.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass could still occur if exploited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted messages to OPC/UA server endpoints, which are typically exposed on industrial networks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.40 or later

Vendor Advisory: https://industrial.softing.com/fileadmin/sof-files/pdf/ia/support/Security_Bulletin_CVE-2021-40872.pdf

Restart Required: Yes

Instructions:

1. Download uaToolkit Embedded version 1.40 or later from Softing. 2. Rebuild and redeploy OPC/UA applications with the updated library. 3. Restart all affected OPC/UA server processes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate OPC/UA servers from untrusted networks using firewalls or network segmentation.

Access Control Lists

all

Restrict access to OPC/UA server ports (typically 4840/tcp) to authorized systems only.

🧯 If You Can't Patch

Implement strict network segmentation to isolate OPC/UA servers from untrusted networks
Deploy intrusion detection systems to monitor for anomalous OPC/UA traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if OPC/UA server uses uaToolkit Embedded library version earlier than 1.40

Check Version:

Check application documentation or contact vendor for version information

Verify Fix Applied:

Verify uaToolkit Embedded library version is 1.40 or later in deployed applications

📡 Detection & Monitoring

Log Indicators:

Unexpected OPC/UA server crashes
Authentication failures followed by anonymous access

Network Indicators:

Unusual OPC/UA message patterns to port 4840/tcp
Multiple connection attempts with malformed packets

SIEM Query:

source_port:4840 AND (event_type:crash OR auth_result:anonymous)

📊 Metadata

CVE ID: CVE-2021-40872

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-843

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

https://industrial.softing.com/ Vendor Advisory
https://industrial.softing.com/fileadmin/sof-files/pdf/ia/support/Security_Bulletin_CVE-2021-40872.pdf Vendor Advisory
https://industrial.softing.com/ Vendor Advisory
https://industrial.softing.com/fileadmin/sof-files/pdf/ia/support/Security_Bulletin_CVE-2021-40872.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40872, you might also want to check these: