Denial of Service (DoS)

Vulnerability

Details

The opcua crate (a Rust implementation of the OPC UA protocol) is vulnerable to a Denial of Service (DoS) attack because it lacks a limitation on the number of received chunks per session or across all concurrent sessions [1]. The server does not enforce a maximum number of chunks, allowing an attacker to send an unlimited number of huge chunks (e.g., 2 GB each) without ever sending the required Final closing chunk [1]. This missing constraint is the root cause of the vulnerability.

Exploitation

An attacker can exploit this by establishing a session (or multiple sessions) and sending a continuous stream of large chunks without completing the message. No authentication is required if the server accepts unauthenticated sessions, and the attacker can be remote as long as network connectivity to the OPC UA endpoint exists. The vulnerability is triggered purely by network traffic; no special privileges are needed beyond the ability to initiate a connection [1].

Impact

Successful exploitation leads to unbounded memory or resource consumption on the server, causing a Denial of Service (DoS). The server may become unresponsive or crash, disrupting legitimate OPC UA clients and any industrial control or monitoring systems relying on the service [1].

Mitigation

The maintainers addressed the issue in pull request #216, which introduced configurable limits for chunk counts and other resource constraints [2][4]. The fix adds a max_chunk_count (or similar) limit and a decoding depth limit to prevent resource exhaustion [2]. Users are advised to upgrade to a patched version of the crate that includes these changes. As of the publication date, no CVE-assigned patch version is explicitly listed, but the commit history shows the fix was merged into the mainline [4].