7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
60.3%
Denial of Service
OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:
Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.
The close session request closes a connected session. A deleteSubscription
flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription
flag is False
the server will store the subscriptions thus filling up the memory in an unlimited manner.
Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.
To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.
Clarity PoC does:
while True:
Open a valid OPC UA session
Create multiple subscriptions
Add monitored items to each subscription
Close the session with the DeleteSubscriptions flag = False
We would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 (Claroty Research) for this report.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
org.eclipse.milo:sdk-server | lt | 0.6.8 |
github.com/advisories/GHSA-fph9-f5r6-vhqf
github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5
github.com/eclipse/milo/issues/1030
github.com/eclipse/milo/pull/1031
github.com/eclipse/milo/security/advisories/GHSA-fph9-f5r6-vhqf
nvd.nist.gov/vuln/detail/CVE-2022-25897
security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
60.3%