CVE-2018-12087

Vulnerability

The vulnerability exists in OPC Foundation UA Client Applications that communicate without security (i.e., when the security mode is set to "None"). In such configurations, the client does not validate the server's certificate, enabling a man-in-the-middle (MITM) attack [1]. This affects NuGet package OPCFoundation.NetStandard.Opc.Ua versions up to and including 1.4.352.12 [2]. The lack of certificate validation allows an attacker who controls a piece of network infrastructure to intercept and manipulate the TLS handshake or the unencrypted channel.

Exploitation

An attacker with control over a network segment between the OPC UA client and the server can perform a MITM attack. No authentication is required before the attack, as the client does not verify the server's identity. The attacker can present a spoofed certificate (or no certificate at all in unsecured mode) and decrypt the communication, capturing credentials transmitted during the authentication phase [1]. The attack is purely network-based and can be executed remotely with no prior access to the client or server.

Impact

Successful exploitation results in the disclosure of user passwords and potentially other sensitive data transmitted during the session. The attacker gains the ability to decrypt the password, which can then be reused to authenticate to the OPC UA server with the victim's privileges [1]. This leads to a compromise of confidentiality, and possibly integrity if the attacker can further manipulate data after authentication.

Mitigation

The vulnerability is fixed in version 1.4.353.15 of OPCFoundation.NetStandard.Opc.Ua [2]. Users should update to this or a later version. For applications that require unsecured communication, a network-level security measure (e.g., VPN) may be used to mitigate the risk. The OPC Foundation has published a security bulletin [1] with details. No workaround is available if the client must communicate without security and cannot be updated.