Information Exposure

Affecting opcfoundation.netstandard.opc.ua package, versions [,1.3.352.12)

Do your applications use this vulnerable package? Test your applications

Overview

opcfoundation.netstandard.opc.ua contains the OPC UA reference implementation and is targeting the .NET Standard Library.

Affected versions of the package are vulnerable to Information Exposure. A remote attacker could determine the Server’s private key by sending carefully constructed bad UserIdentityTokens.

NOTE This attack only affects UserIdentityTokens encrypted with the Basic128Rsa15 Security Policy which has already been depreciated.

Remediation

Upgrade opcfoundation.netstandard.opc.ua to version 1.3.352.12 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Credit
Bernd Edlinger
CVE
CVE-2018-7559
CWE
CWE-200
Snyk ID
SNYK-DOTNET-OPCFOUNDATIONNETSTANDARDOPCUA-60262
Disclosed
13 Jun, 2018
Published
31 Jul, 2018