CVE-2023-39479
📋 TL;DR
This vulnerability in Softing Secure Integration Server OPC UA Gateway allows authenticated attackers to bypass authentication and create directories on the filesystem. Attackers can combine this with other vulnerabilities to achieve remote code execution as root. Organizations using Softing Secure Integration Server with OPC UA Gateway functionality are affected.
💻 Affected Systems
- Softing Secure Integration Server OPC UA Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Unauthorized directory creation enabling file manipulation, privilege escalation, and preparation for further attacks.
If Mitigated
Limited to authenticated users with proper access controls, reducing attack surface but still allowing directory manipulation.
🎯 Exploit Status
Requires authentication bypass and knowledge of OPC UA FileDirectory objects, but ZDI has confirmed exploitability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Softing advisory for specific patched version
Vendor Advisory: https://industrial.softing.com/
Restart Required: Yes
Instructions:
1. Check Softing advisory for patched version. 2. Download and install the update from Softing. 3. Restart the Secure Integration Server service. 4. Verify the patch is applied.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the OPC UA Gateway service to only trusted hosts.
Use firewall rules to limit TCP/UDP ports used by Softing Secure Integration Server
Authentication Hardening
allImplement additional authentication layers and monitor for authentication bypass attempts.
Configure multi-factor authentication if supported
Enable detailed authentication logging
🧯 If You Can't Patch
- Isolate the Softing server in a dedicated network segment with strict firewall rules
- Implement application-level monitoring for FileDirectory object access and directory creation attempts
🔍 How to Verify
Check if Vulnerable:
Check Softing Secure Integration Server version against patched version in vendor advisoryCheck Version:
Check version through Softing administration interface or installation directoryVerify Fix Applied:
Verify installed version matches or exceeds patched version from Softing advisory📡 Detection & Monitoring
Log Indicators:
- Unauthorized FileDirectory object access
- Unexpected directory creation events
- Authentication bypass attempts
Network Indicators:
- Unusual OPC UA traffic patterns to FileDirectory endpoints
- Multiple authentication requests from single source
SIEM Query:
source="softing_server" AND (event="FileDirectory_access" OR event="directory_creation")