OPC Foundation .NET Standard ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability
CVE-2023-27321

7.5HIGH

Key Information:

Vendor

Opc Foundation

Status
Ua .net Standard
Vendor
CVE Published:
7 May 2024

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2023-27321?

A vulnerability exists in the OPC Foundation UA .NET Standard that permits remote attackers to generate a denial-of-service scenario. This issue is triggered when an attacker sends numerous ConditionRefresh requests, potentially exhausting the server's resources. The exploitation of this flaw does not require any form of authentication, making it particularly risky for deployed systems. Affected installations could experience significant disruption, leading to service interruptions that compromise operational integrity.

Affected Version(s)

UA .NET Standard 1.4.371.60

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

OPC-UA-Authentication-Challenge
Created by JustKhal

News Articles

favicon imageCN-SEC

原创 | OPC UA .NET Standard Stack 资源耗尽漏洞分析-05-26

原文始发于微信公众号(CNCERT国家工程研究中心):原创 | OPC UA .NET Standard Stack 资源耗尽漏洞分析-05-26

References

https://www.zerodayinitiative.com/advisories/ZDI-23-548/
x_research-advisory
https://files.opcfoundation.org/SecurityBulletins/OPC%20F...
vendor-advisory

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CN-SEC

  • Vulnerability published

  • Vulnerability Reserved

.