Multiple companies that develop industrial systems are assessing the impact of two new OPC UA vulnerabilities on their products, and German automation technology firm Beckhoff is the first to release a security advisory.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released advisories to describe two OPC UA vulnerabilities discovered by Eran Jacob of OTORIO, an Israel-based company that specializes in operational technology (OT) security and digital risk management solutions.
Developed by the OPC Foundation, OPC UA (Unified Architecture) is a machine-to-machine communication protocol that is widely used in industrial automation and other fields.
Jacob, who is the security research team lead at OTORIO, analyzed OPC UA and uncovered a couple of vulnerabilities that have been assigned a high severity rating.
One of the flaws is tracked as CVE-2021-27432 and it has been described as an uncontrolled recursion issue that can be exploited to trigger a stack overflow. This vulnerability has been found to impact OPC UA .NET Standard and Legacy.
The second vulnerability is CVE-2021-27434, which has been described as a sensitive information disclosure issue that impacts the Unified Automation .NET based OPC UA client/server SDK.
The OPC Foundation released a patch in March. The flaw affecting Unified Automation software is related to the use of vulnerable versions of the .NET framework. According to CISA, CVE-2021-27434 is related to a .NET vulnerability patched by Microsoft in 2015 (
Support the originator by clicking the read the rest link below.