Article - CS397286

Security vulnerability identified in PTC Kepware Products - CVE-2023-3825

Modified: 26-Jul-2023   


Applies To

  • ThingWorx Kepware Server 8.0 to 6.14
  • KEPServerEX 6.0.2107.0 to 6.14
  • Zero Day Initiative in collaboration with security researcher Claroty published results from PWN2OWN Miami in which Claroty successfully demonstrated a DoS attack on KEPServerEX by performing resource exhaustion
  • The attack vector leveraged during the event involved the creation of an un-authenticated a bad-acting OPC UA Client
    •  Standard controls available in the product and outlined in the Secure Deployment guide are sufficient to mitigate this vulnerability
  • Kepware will be producing a fix for the vulnerability irrespective of authentication that will remediate this vulnerability. This fix will be part of the KEPServerEX version 6.15 release in the second half of 2023
Note that PTC has no indication nor has been made aware that this vulnerability has or is being exploited

Description

  • Zero Day Initiative in collaboration with security researcher Claroty Team82 published results from PWN2OWN Miami in which Claroty successfully demonstrated a DoS attack on KEPServerEX by performing resource exhaustion
    • CVSS 3.1 Score: 7.5 High
    • CVSS 3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    • CWE: CWE-400 UNCONTROLLED RESOURCE CONSUMPTION
  • KEPServerEX v6.13.250.0 or lower is vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption
    •  KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays
  • It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed
  • Common Vulnerabilities and Exposures:  CVE-2023-3825 has been assigned to this vulnerability
    Researcher Attribution: Claroty Team82
This is a printer-friendly version of Article 397286 and may be out of date. For the latest version click CS397286