Security Advisory IBA-2022-01
ibaPDA OPC UA server allowed in some cases connections with untrusted certificates
| Publishing Date: | 2022-03-08 |
| Last Update: | 2022-03-08 |
| Tracking ID: | IBA-2022-01 |
| CVSS Base Score: | 4.2 |
| CVSS v3 Vector: | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
Summary
Due to a bug in the used OPC UA Library < v1.4.368 it was possible in some cases, that an OPC UA client could establish a connection with an untrusted or expired certificate. If the OPC UA Server exposed writable tags, these could then be modified by the connected client.
Affected products
ibaPDA
All versions prior to v7.3.12
How do I know that I'm affected
Check the version number of the installed product in the About dialog which can be found in the Help menu.
Customer Actions
Please install ibaPDA v7.3.12 or higher.
Technical Details
Issue
The used certificate validator was overridden in some cases, leading to an unsafe situation where any client with expired or untrusted certificate could establish a connection. A more detailed description can be found on GitHub #1711.
Timeline
| 2022-02-16 | Issue reported to OPC Foundation |
| 2022-02-17 | Issue fixed by OPC Foundation |
| 2022-03-07 | New ibaPDA Version released |
| 2022-03-08 | Security advisory published |