There is a vulnerability in Unitronics’ UniOPC Server which can occur as a result of improper handling of input by a third-party component, https.ocx, which is part of “IP*Works! SSL.”
Successful exploitation of this vulnerability can result in a crash and could result in the execution of arbitrary code.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) coordinated with Unitronics and independent security researchers Billy Rios and Terry McCorkle, who found the vulnerability.
Unitronics released a new version that does not contain the vulnerable component. The researchers have confirmed the vulnerable component is not present in the new version. However, customers installing the new version on a system that had previously contained an affected version of UniOPC are still vulnerable as the update does not remove the vulnerable component.
This vulnerability affects versions of Unitronics UniOPC prior to Version 2.0.0.
Exploitation of this vulnerability could result in arbitrary code on a system running an affected version of UniOPC.
Israel-based Unitronics offers the UniOPC Server, which provides the ability to read and write data between Unitronics programmable logic controllers (PLCs) and other applications that support OLE for Personal Computers (OPC). UniOPC Server is a standalone product that runs independently of other Unitronics software.
UniOPC sees use globally in multiple sectors, Unitronics said.
The vulnerability resides in the https.ocx component of “IP*Works! SSL” that is part of the Unitronics UniOPC product. An attacker could build a specially crafted website that accesses the vulnerable function to cause a crash and potentially execute arbitrary code. In addition, the vulnerability is remotely exploitable and an attacker with a low to medium skill level may exploit this vulnerability.
In an effort to mitigate the issue, Unitronics released Version 2.0.0 of UniOPC Server. Unitronics recommends users of all versions of the UniOPC Server product download and install Version 2.0.0 or newer.
Unitronics has not provided mitigation steps for existing customers who are currently using affected versions of UniOPC. The vulnerable component will remain on the system even after installing the new version.