There is a vulnerability in Unitronics’ UniOPC Server product which is the result of improper handling of input by a third-party component, https50.ocx, which is part of “IP*Works! SSL.”
IP*Works! is in the UniOPC product. Successful exploitation of this vulnerability results in a crash and could result in the execution of arbitrary code.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) coordinated with Unitronics and independent security researchers Billy Rios and Terry McCorkle. Unitronics has released a new version that does not contain the vulnerable component. The researchers have confirmed the vulnerable component is not present in the new version. However, customers installing the new version on a system had previously contained an affected version of UniOPC are still vulnerable as the update does not remove the vulnerable component.
This vulnerability affects versions of Unitronics UniOPC prior to Version 2.0.0. Exploitation of this vulnerability could result in the execution of arbitrary code on a system running an affected version of the Unitronics UniOPC product.
Israel-based Unitronics’ UniOPC Server provides the ability to read and write data between Unitronics programmable logic controllers (PLCs) and other OPC applications.
UniOPC Server is a standalone product that runs independently of other Unitronics software. UniOPC sees use worldwide in multiple sectors, Unitronics officials said.
The vulnerability resides in the https50.ocx component of “IP*Works! SSL” used as part of the Unitronics UniOPC product.
An attacker could build a specially crafted website that accesses the vulnerable function to cause a crash and potentially execute arbitrary code. This vulnerability is remotely exploitable. However, no exploits specifically target this vulnerability at this time. An attacker with a low to medium skill level may exploit this vulnerability.
Unitronics released Version 2.0.0 of UniOPC Server. Unitronics recommends that users of all versions of the UniOPC Server product download and install Version 2.0.0 or newer.
Unitronics has not provided mitigation steps for existing customers who are currently using affected versions of UniOPC. The vulnerable component will remain on the system even after installing the new version.
To manually remove the vulnerable component, the researchers suggest the following steps:
1. Ensure that no other applications are using https50.ocx prior to its removal.
2. From a command prompt type: regsvr32 /U c:\windows\system32\https50.ocx
3. Delete the c:\windows\system32\https50.ocx file.