Full Report
Unified Automation .NET based OPC UA Server SDK before 3.2.2 used in several industrial products are affected by a similar vulnerability as documented in CVE-2023-27321 for the OPC Foundation UA .NET Standard implementation. A successful attack may lead to high load situation and memory exhaustion, and may block the OPC UA server. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens OPC UA Server Implementations (CVE-2023-52891)
## CVE Details
- CVE ID: CVE-2023-52891
- CVSS Score: 5.3 (Medium)
- CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
## Affected Systems
- Products:
- SIMATIC Energy Manager Basic (All versions < V7.5)
- SIMATIC Energy Manager PRO (All versions < V7.5)
- SIMATIC IPC DiagBase (All versions)
- SIMATIC IPC DiagMonitor (All versions)
- SIMIT V10 (All versions)
- SIMIT V11 (All versions < V11.1)
- Configurations: Products utilizing the Unified Automation .NET based OPC UA Server SDK before version 3.2.2.
## Vulnerability Description
The vulnerability is similar to CVE-2023-27321 affecting the OPC Foundation UA .NET Standard implementation. It resides within the Unified Automation .NET based OPC UA Server SDK (prior to v3.2.2) used across several Siemens industrial products. A successful exploitation can trigger a high load situation leading to memory exhaustion, ultimately blocking the OPC UA server's operation (Denial of Service).
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the vulnerability details suggest practical exploitability due to low complexity.
- Complexity: Low (AC:L in CVSS vector)
- Attack Vector: Network (AV:N in CVSS vector)
## Impact
- Confidentiality: No impact (C:N)
- Integrity: No impact (I:N)
- Availability: High impact (A:L) - Server may be blocked/crash due to memory exhaustion.
## Remediation
### Patches
The following updates are released to resolve the vulnerability:
* **SIMATIC Energy Manager Basic/PRO:** Update to V7.5 or later version. (Reference: https://support.industry.siemens.com/cs/ww/en/view/109827289/)
* **SIMIT V11:** Update to V11.1 or later version. (Reference: https://support.industry.siemens.com/cs/ww/en/view/109820441/)
**Note:** For SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, and SIMIT V10, Siemens currently states that **no fix is planned**.
### Workarounds
For all affected products, and especially those without immediate fixes planned:
1. Disable the OPC UA server in the affected product if OPC UA is not being used.
2. Restrict network access to the OPC UA interface, ensuring only trusted clients are allowed to connect.
## Detection
- **Indicators of Compromise (IoCs):** Unexplained high CPU load utilization or memory exhaustion within the affected OPC UA server process, leading to service unavailability starting shortly after handling specific network traffic.
- **Detection Methods and Tools:** Monitor network traffic destined for OPC UA ports (default 49330-49340/TCP) for anomalous or high-volume requests directed at the vulnerable service. Monitoring host resource usage (CPU/Memory) for endpoint processes running the vulnerable SDK can indicate resource exhaustion attempts.
## References
- Vendor Advisory (SSA-088132): https://cert-portal.siemens.com/productcert/html/ssa-088132.html
- Related CVE-2023-27321 Information: https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2023-27321.pdf
- Unified Automation SDK Information: https://www.unified-automation.com/support/security-process.html
- General Siemens Industrial Security Guidelines: https://www.siemens.com/cert/operational-guidelines-industrial-security