SB2023060106 - Denial of service in Prosys OPC UA products
Published: June 1, 2023
Security Bulletin ID
SB2023060106
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2023-32787)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the handling of OpenSecureChannel messages. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/OPCFoundation/UA-Java-Legacy/commit/6f176f2b445a27c157f1a32f225accc9ce8873c0
- https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2023-32787.pdf
- https://github.com/OPCFoundation/UA-Java-Legacy
- https://www.zerodayinitiative.com/advisories/ZDI-23-778/
- https://www.prosysopc.com/blog/pwn2own-2023-resource-exhaustion-exploit/