CVE-2022-29862

Vulnerability

Description An infinite loop vulnerability (CWE-835) exists in the OPC UA .NET Standard Stack version 1.04.368. The flaw occurs when the stack processes a specially crafted OPC UA message, causing the application to enter an infinite loop and become unresponsive [3]. This issue affects the core library of the OPC UA .NET reference implementation [1].

Exploitation

A remote attacker can exploit this vulnerability by sending a malicious OPC UA message to a server or client using the affected stack. No authentication is required, as the message is processed before any security checks are performed. The attack vector is network-based, making it accessible to any attacker who can reach the target application over the network [3].

Impact

Successful exploitation results in a denial of service (DoS) condition. The target application hangs and becomes unable to process legitimate OPC UA requests, disrupting industrial automation and control systems that rely on OPC UA communications [2].

Mitigation

The OPC Foundation has released a security bulletin addressing this vulnerability [2]. Users are advised to update to a patched version of the OPC UA .NET Standard Stack. The official GitHub repository provides the latest releases and security advisories [1][3].