CVE-2022-29864

Vulnerability

Overview

CVE-2022-29864 is a denial-of-service (DoS) vulnerability affecting the OPC UA .NET Standard Stack version 1.04.368. The root cause is uncontrolled resource consumption: a remote attacker can send a large number of messages to a server running this stack, causing it to exhaust available resources and crash. The issue is classified as a resource consumption problem, leading to server unavailability [1][2].

Attack

Vector and Prerequisites

An attacker can exploit this vulnerability remotely without needing authentication or special privileges. The only requirement is network access to the OPC UA server endpoint. By flooding the server with a high volume of messages, the attacker triggers the uncontrolled resource consumption condition. The OPC UA .NET Standard Stack is a reference implementation targeting .NET Framework, .NET, and .NET Standard 2.1, meaning any application built on these versions could be exposed if left unpatched [1][2].

Impact

Successful exploitation results in a complete denial of service, crashing the OPC UA server. This disrupts industrial communication systems that rely on OPC UA for data exchange, potentially halting production lines, causing data loss, or requiring manual intervention to restore service. No data breach or code execution is reported, but the availability impact is high [2].

Mitigation and

Status

The OPC Foundation released a security bulletin and advisory (GHSA-vhfw-v69p-crcw) in June 2022 detailing the vulnerability and urging users to update to a patched version. Operators should upgrade the OPC UA .NET Standard Stack to a fixed release. There is no evidence of exploitation in the wild, but given the criticality of OPC UA in industrial environments, patching is strongly recommended [2][3].