Security

May 2023
High

6.0.0 - 6.7.0
7.0.0 - 7.0.1

Updated OpenSSL library version used in OPC UA server/client/HTTP client/MQTT client function from 1.1.1n to 1.1.1t.
Improved the following vulnerability fixes:
- The contents of memory can be read
- The system is put into a denial of service (DoS) state
- The application data sent by the software is decrypted

Cause:
Vulnerability caused by OpenSSL

Vulnerability:
CVE-2023-0286
CVSS score: 7.4 (High)
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)
- An attack could read the contents of memory or cause a denial of service.
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-0286

Vulnerability:
CVE-2022-4304
CVSS score: 5.9 (Medium)
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
- An attack could decrypt application data sent by the software.
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-4304

Vulnerability:
CVE-2023-0215
CVSS score: 7.5 (High)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- An attack may cause a denial of service (DoS).
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-0215

Vulnerability:
CVE-2022-4450
CVSS score: 7.5 (High)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- An attack may cause a denial of service (DoS).
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-4450
 

Jul. 2022
High

Updated the version from 1.1.1l to 1.1.1n of the OpenSSL library used in the OPC UA server / client function.
Fixed vulnerabilities that application denial of service (DoS) attacks by malicious attackers.

Cause:
Vulnerability due to OpenSSL.

Vulnerability:
CVE-2022-0778
CVSS SCORE: 7.5 (High)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Causes an infinite loop by crafting a certificate that has invalid explicit curve parameters.
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0778
 

Dec. 2021
Critical

Updated the version from 1.02p to 1.1.1l of the OpenSSL library used in the OPC UA server / client function.
Fixed vulnerabilities that application behavior changes and denial of service (DoS) attacks by malicious attackers.

Cause:
Vulnerability due to OpenSSL.

Vulnerability:
CVE-2021-3711
CVSS SCORE: 9.8 (Critical)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Malicious packets can change the behavior of applications running OpenSSL or cause denial of service (DoS) attacks.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3711

Vulnerability:
CVE-2021-3712
CVSS SCORE: 7.4 (High)
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)
- Malicious packets can read sensitive information in memory or perform denial of service (DoS) attacks.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3712

Solution:
Update to DeviceXPlorer OPC Server Ver.6.5.0.

Aug. 2021
Critical

Updated the version of the library (CodeMeterRuntime) from v7.20b to v7.21a used for license key activation.
Successful exploitation of these vulnerabilities could allow an attacker to read data from the heap of the CodeMeter Runtime network server, or crash the CodeMeter Runtime Server.(ICSA-21-210-02)

Cause:
Vulnerability due to CodeMeter Runtime

Vulnerability:
CVE-2021-20093
CVSS Score: 7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- An attacker could send a specially crafted packet to the CodeMeter Runtime CmWAN server to cause a denial-of-service condition.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-20093

Vulnerability:
CVE-2021-20094
CVSS Score: 9.1 (Critical)
(CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
- An attacker could send a specially crafted packet that could crash the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-20094

Solution:
Update CodeMeter Runtime to v7.21a.
This module can be updated by updating DeviceXPlorer OPC Server to Ver.6.4.0.

Mitigations:
CVE-2021-20093:
- Run CodeMeter as client only and use localhost as binding for the CodeMeter communication. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default.
- If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.

CVE-2021-20094:
- The CmWAN server is disabled by default. Check if CmWAN is enabled and disable the feature if it is not needed.
- Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users.
- The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.

Aug. 2021
High

5.0.0,1
- 5.4.0.1

Fixed the problem that malicious attacker may cause to trigger a stack overflow and application clashed if OPC UA server function enable.

Cause:
Vulnerability due to OPC UA component provided by OPC Foundation.

Vulnerability:
CVE-2021-27432
CVSS SCORE: 7.5 (High)
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Triggered a stack overflow and the application crashed.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-27432

Solution:
Disable OPC UA server function or update DeviceXPlorer OPC Server to Ver.5.4.1.1.

Mitigations:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

Mar 2024
High

Updated SQLite library version used in Buffering function from 3.30.1 to 3.45.2
Implemented fixes for the following vulnerabilities:
- The contents of memory can be read
- The contents of memory can be altered
- The system is put into a denial of service (DoS) state

Cause:
Vulnerability caused by SQLite

Vulnerability:
CVE-2023-7104
CVSS score: 7.3 (High)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
- An attack could read the contents of memory or cause a denial of service.
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-7104

May 2023
High

Updated OpenSSL library version used in OPC UA server/client/HTTP client/MQTT client function from 1.1.1n to 1.1.1t
Improved the following vulnerability fixes:
- The contents of memory can be read
- The system is put into a denial of service (DoS) state
- The application data sent by the software is decrypted

Cause:
Vulnerability caused by OpenSSL

Vulnerability:
CVE-2023-0286
CVSS score: 7.4 (High)
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)
- An attack could read the contents of memory or cause a denial of service.
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-0286
 

Mar. 2022
High

Updated the version from 1.1.1l to 1.1.1n of the OpenSSL library used in the OPC UA server / client function.
Fixed vulnerabilities that application denial of service (DoS) attacks by malicious attackers.

Cause:
Vulnerability due to OpenSSL.

Vulnerability:
CVE-2022-0778
CVSS Score: 7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Cause to infinite loop by crafting a certificate that has invalid explicit curve parameters.
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0778
 

Oct. 2021
Critical

Updated the version from 1.02p to 1.1.1l of the OpenSSL library used in the OPC UA server / client function.
Fixed vulnerabilities that application behavior changes and denial of service (DoS) attacks by malicious attackers.

Cause:
Vulnerability due to OpenSSL.

Vulnerability:
CVE-2021-3711
CVSS Score: 9.8 (Critical)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Malicious packets can change the behavior of applications running OpenSSL or cause denial of service (DoS) attacks.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3711

Vulnerability:
CVE-2021-3712
CVSS Score: 7.4 (High)
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)
- Malicious packets can read sensitive information in memory or perform denial of service (DoS) attacks.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3712 

Solution:

May 2023
High

In ScriptRunner, improved the password encryption for launchsettings files.
In ScriptRunner for Amazon SQS, improved the secret key and password encryption for launch settings files and the secret key encryption for property files.

Vulnerability:
CVE-2023-28937
CVSS Score: 8.8（High）
（CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H）
- An attacker with access to the product could decrypt encrypted credentials with a hard-coded encryption key if they obtained the ScriptRunner or ScriptRunner for Amazon SQS configuration files.
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28937

Solution:
Update to OPC Spider 1.2.2

In ScriptRunner, after applying this patch, perform the following procedure to encrypt passwords again for all launch settings files:

1. Open a launch settings file, and replace the value for the password element with a plain text password.
2. Specify [false] for the encrypt attribute of the password element, or delete the attribute.
3. Encrypt the password described in step 1 by following the "Password encryption of launch settings file" section in the "ScriptRunner" help page.

To use the launch settings file in another environment, you must perform the above procedure again.

In ScriptRunner for Amazon SQS, after applying this patch, perform the following procedure to encrypt passwords and secret keys again for all launch settings files and property files:

1. Open a launch settings file, and replace the values for the secretkey element and password element with a plain text secret key and password.
2. Specify [false] for the encrypt attributes of the secretkey element and password element, or delete the attributes.
3. Encrypt the secret key and password described in step 1 by following the "Secret key and password encryption of launch settings file section in the "ScriptRunner for Amazon SQS" help page.
4. Open a property file, and replace the value for the AWS_SECRET_KEY key with a plain text secret key.
5. Specify [false] for the ENCRYPTED key, or delete the ENCRYPTED key.
6. Encrypt the secret key described in step 4 by following the "Secret key encryption of property file" section in the "ScriptRunner for Amazon SQS" help page.

To use the launch settings file and the property file in another environment, you must perform the above procedure again.

Mar. 2022
High

Due to an affect on our products of a security update program dealing with a DCOM vulnerability (CVE-2021-26414), after applying the security update program, the OPC DA Client may be unable to connect with the OPC DA Server for DCOM communication using the following constructions:

• When OPC DA Client and OPC DA Server are running on different PCs. 

• When OPC DA Client and OPC DA Server startup users are different (such as at service startup time).

※ Communication with OPC UA interface is not affected.

Regarding affected products

The OPC DA interface of the following products may be affected:

• DeviceXPlorer OPC Server (DxpSERVER): All versions
• OPC DA Sample Clients: All versions
• DA Server: All versions
• DeviceXPlorer Data Logger (DxpLOGGER): All versions

For details and solutions, please refer to the following link.

Effect on our products for security update for vulnarebility in DCOM (CVE-2021-26414)