Preface: OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.
Background: The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers and Clients. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types
that are defined in the OPC UA Communication Stack by the OPC Foundation.
Vulnerability details: OPC UA C++ SDK is vulnerable to a denial of service, caused by improper restriction of operations within
the bounds of a memory buffer. A remote attacker could exploit this vulnerability to cause the system to crash.
In the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API.
In this vulnerability, the exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.
Remedy: Click here to download the latest software package from the Softing website. https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks.html
ICS Advisory (ICSA-21-168-02) – https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02