CVE-2022-37013 – CVE-2022-37013 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-37013?

CVE-2022-37013 has a CVSS score of 7.5 (HIGH). CVE-2022-37013 is a denial-of-service vulnerability in Unified Automation OPC UA C++ Demo Server where remote attackers can send a specially crafted certificate to trigger an infinite loop, crashing the server. Authentication is not required for exploitation. Organizations using affected versions of this OPC UA server software are vulnerable.

📋 TL;DR

CVE-2022-37013 is a denial-of-service vulnerability in Unified Automation OPC UA C++ Demo Server where remote attackers can send a specially crafted certificate to trigger an infinite loop, crashing the server. Authentication is not required for exploitation. Organizations using affected versions of this OPC UA server software are vulnerable.

💻 Affected Systems

Products:

Unified Automation OPC UA C++ Demo Server

Versions: 1.7.6-537 and earlier (with vendor rollup)

Operating Systems: All platforms running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: This is a demo server but may be used in production environments. The vulnerability exists in certificate handling logic.

📦 What is this software?

Opc Ua C\+\+ Demo Server by Unified Automation

View all CVEs affecting Opc Ua C\+\+ Demo Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for OPC UA server operations, disrupting industrial control system communications and potentially affecting physical processes.

🟠

Likely Case

Server crashes requiring manual restart, causing temporary disruption to OPC UA communications and monitoring capabilities.

🟢

If Mitigated

No impact if server is patched or properly isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI-CAN-17203 was assigned, suggesting active research. The vulnerability requires crafting a malicious certificate but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.7 and later

Vendor Advisory: https://documentation.unified-automation.com/uasdkcpp/1.7.7/CHANGELOG.txt

Restart Required: Yes

Instructions:

1. Download Unified Automation OPC UA C++ SDK version 1.7.7 or later. 2. Replace the affected demo server with the updated version. 3. Restart the OPC UA server service.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to OPC UA servers to only trusted clients and networks.

Firewall Rules

all

Implement firewall rules to block untrusted sources from accessing OPC UA ports (typically 4840/tcp).

🧯 If You Can't Patch

Implement strict network segmentation to isolate OPC UA servers from untrusted networks
Deploy intrusion detection systems to monitor for certificate-based attacks on OPC UA ports

🔍 How to Verify

Check if Vulnerable:

Check if running Unified Automation OPC UA C++ Demo Server version 1.7.6-537 or earlier. Review server logs for certificate parsing errors or crashes.

Check Version:

Check server configuration files or application properties for version information specific to your deployment.

Verify Fix Applied:

Verify server version is 1.7.7 or later. Test certificate handling functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Server process crashes
High CPU usage from infinite loops
Certificate parsing errors
Connection resets after certificate exchange

Network Indicators:

Unusual certificate sizes or structures sent to OPC UA port 4840
Multiple connection attempts with malformed certificates

SIEM Query:

source="opcua_server" AND (event="crash" OR event="certificate_error" OR cpu_usage>90)

📊 Metadata

CVE ID: CVE-2022-37013

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.unified-automation.com/uasdkcpp/1.7.7/CHANGELOG.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-1029/ Third Party Advisory,VDB Entry
https://documentation.unified-automation.com/uasdkcpp/1.7.7/CHANGELOG.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-1029/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37013, you might also want to check these: