DHS ICS-CERT Issues OPC Server Vulnerability Advisory

This afternoon DHS ICS-CERT has issued a new Advisory regarding an identified vulnerability in the Automated Solutions OPC Server. The advisory only applies to the stand alone version of the Modbus/TCP OPC Data Access OPC servers (versions 3.0.0 and earlier versions) produced by Automated Solutions.

The advisory describes this as “a heap corruption vulnerability” that, if exploited, could corrupt the OPC server memory. ICS-CERT estimates that the vulnerability could be exploited by an attacker with an intermediate skill level, but that it would be unlikely that an attacker could use this vulnerability to execute arbitrary commands.

ICS-CERT has confirmed that Automated Solutions’ latest patch mitigates this vulnerability. ICS-CERT recommends the following mitigation steps:

● Upgrade to the latest version and install the latest patch. The patch is available at http://automatedsolutions.com/demos/demoform.asp?code=17.

● Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls, and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized.

As always the standard ICS-CERT caution applies; “Owners and operators should exercise caution and consult their control systems vendor prior to making any changes. Proper impact analysis and testing should always be conducted prior to making any changes to control systems.”