CVE-2022-29863

Vulnerability

Overview

CVE-2022-29863 is a denial-of-service vulnerability in the OPC UA .NET Standard Stack version 1.04.368. The root cause is that the stack does not properly validate the size of a memory allocation requested by a specially crafted OPC UA message, allowing an attacker to force the allocation of an excessive amount of memory [2]. This can lead to resource exhaustion and cause the application to crash [1].

Attack

Vector

The vulnerability can be exploited remotely over the network. An attacker sends a malicious OPC UA message to an affected server or client using the stack. No authentication is required; the crafted message alone triggers the excessive memory allocation. The attack surface includes any application that uses the vulnerable OPC UA .NET Standard Stack version 1.04.368 [3].

Impact

Successful exploitation results in a denial of service (DoS), crashing the OPC UA application. This disrupts industrial control and automation processes that rely on the OPC UA communication protocol. The impact is limited to availability; there is no evidence of code execution or data leakage [2].

Mitigation

The OPC Foundation released a fix in a later version of the stack. Users should update to a patched version, such as 1.04.368.1 or later. The advisory from the OPC Foundation provides details on the affected versions and remediation steps [3]. As of the publication date, this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.