KEPServer Denial-of-Service Vulnerability Found During Pwn2Own Competition

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding this vulnerability discovered by Security Researchers of Claroty Team82 during the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-3825 IMPACT

KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         NVD - CVE-2023-3825

·         PTC KEPServerEX | CISA

·         CS405439 - Security vulnerabilities identified in PTC Kepware products - November 2023