SB2018061315 - Cryptographic issues in PLCNext AXC F 2152
Published: June 13, 2018 Updated: June 6, 2019
Security Bulletin ID
SB2018061315
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2018-7559)
The vulnerability allows a remote attacker to decrypt passwords.
The vulnerability exists due to an error in OPC UA Server that allows an attacker to determine a Server's private key. A remote attacker can send especially constructed UserIdentityTokens, encrypted with the Basic128Rsa15 security policy as part of an oracle attack, and decrypt passwords even if they were encrypted with another security policy such as Basic256Sha256.
Vulnerability affects following PLCNext AXC F 2152 products:
- AXC F 2152: article number 2404267
- AXC F 2152: article number 1046568 (Starterkit)
Remediation
Install update from vendor's website.
References
- https://github.com/OPCFoundation/UA-.NET-Legacy/commit/e2a781b38efb8686d2bd850c2f2372b5c670bc45
- https://github.com/OPCFoundation/UA-.NETStandard/commit/ebcf026a54dd0c9052cff009d96d827ac923d150
- https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-7559.pdf