Lucene search

IcscertCVE-2023-3825

HistoryJul 31, 2023 - 11:15 p.m.

CVE-2023-3825

2023-07-3123:15:10

CWE-787

CWE-400

icscert

web.nvd.nist.gov

cve-2023-3825

ptc kepserverex

vulnerability

uncontrolled resource consumption

opc ua

recursive object

stack overflow

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.6%

JSON

PTC’s KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

Affected configurations

Nvd

Node

kepwarekepserverexRange6.0.0–6.14.263

VendorProductVersionCPE
kepwarekepserverex*cpe:2.3:a:kepware:kepserverex:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kepware	kepserverex	*	cpe:2.3:a:kepware:kepserverex::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "KEPServerEX",
    "vendor": "PTC",
    "versions": [
      {
        "lessThanOrEqual": "6.14.263",
        "status": "affected",
        "version": "6.0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-208-02

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.6%

JSON

Related for CVE-2023-3825