Lucene search

K
cve[email protected]CVE-2023-3825
HistoryJul 31, 2023 - 11:15 p.m.

CVE-2023-3825

2023-07-3123:15:10
CWE-400
CWE-787
web.nvd.nist.gov
17
cve-2023-3825
ptc kepserverex
vulnerability
uncontrolled resource consumption
opc ua
recursive object
stack overflow

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

40.5%

PTC’s KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

Affected configurations

NVD
Node
kepwarekepserverexRange6.0.06.14.263

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "KEPServerEX",
    "vendor": "PTC",
    "versions": [
      {
        "lessThanOrEqual": "6.14.263",
        "status": "affected",
        "version": "6.0",
        "versionType": "custom"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

40.5%

Related for CVE-2023-3825