CVE-2023-37572
📋 TL;DR
Softing OPC Suite versions 5.25 and earlier have an incorrect access control vulnerability in the OSF_discovery service that allows attackers to obtain sensitive information through weak permissions. Attackers could modify or delete the service executable. This affects all users running vulnerable versions of Softing OPC Suite.
💻 Affected Systems
- Softing OPC Suite
📦 What is this software?
Opc by Softing
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control over the OSF_discovery service, allowing them to execute arbitrary code with system privileges, steal sensitive industrial control system data, or disrupt OPC communications.
Likely Case
Attackers exploit weak permissions to access sensitive configuration data, service credentials, or modify service behavior to intercept industrial communications.
If Mitigated
With proper access controls and network segmentation, impact is limited to unauthorized information disclosure without system compromise.
🎯 Exploit Status
Exploitation requires local access or network access to the service. Attack complexity is low due to weak permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.26 or later
Vendor Advisory: https://industrial.softing.com/fileadmin/psirt/downloads/2023/syt-2023-5.html
Restart Required: Yes
Instructions:
1. Download Softing OPC Suite version 5.26 or later from Softing website. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart affected services. 5. Verify service permissions are properly set.
🔧 Temporary Workarounds
Restrict OSF_discovery service permissions
windowsManually adjust Windows permissions on the OSF_discovery service executable and registry keys to restrict access to authorized users only.
icacls "C:\Program Files\Softing\OPC Suite\OSF_discovery.exe" /inheritance:r /grant:r "SYSTEM:(F)" "Administrators:(F)"
sc sdset OSF_discovery D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
Disable OSF_discovery service if not needed
windowsStop and disable the vulnerable service if it's not required for operations.
sc stop OSF_discovery
sc config OSF_discovery start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OPC Suite systems from untrusted networks.
- Deploy application whitelisting to prevent unauthorized modifications to OSF_discovery executable.
🔍 How to Verify
Check if Vulnerable:
Check Softing OPC Suite version in Control Panel > Programs and Features. If version is 5.25 or earlier, system is vulnerable.Check Version:
wmic product where "name like 'Softing OPC Suite%'" get versionVerify Fix Applied:
Verify version is 5.26 or later and check OSF_discovery service permissions using: icacls "C:\Program Files\Softing\OPC Suite\OSF_discovery.exe"📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized access attempts to OSF_discovery service
- Security logs showing permission changes to Softing OPC Suite files
Network Indicators:
- Unusual network traffic to/from OSF_discovery service port
- Connection attempts from unauthorized IP addresses to OPC services
SIEM Query:
EventID=4663 AND ObjectName LIKE '%OSF_discovery%' OR ProcessName LIKE '%OSF_discovery%'