High Threat

CWE-400: Uncontrolled Resource Consumption

PTC’s KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

PTC wishes to inform users that the attack vector leveraged during the research involved an un-authenticated OPC UA Client. Standard controls available in the product and outlined in the Secure Deployment guide are sufficient to mitigate this vulnerability.