Skip to main content

DDoS opportunities quashed as 17 flaws detected in popular industrial protocol

Published on: 18 May 2018

Potentially devastating cyber attacks have been nipped in the bud after several zero-day vulnerabilities were detected in a popular industrial protocol by Kaspersky Lab.

The cyber security firm uncovered 17 flaws in the OPC Unified Architecture (OPC UA) protocol, which transfers secure data between servers and clients in industrial systems including critical infrastructure.

All vulnerabilities were reported to developers OPC Foundation and fixed by the end of March.

If left unaddressed, the weaknesses could have led to denial-of-service threat attacks and remote code execution.

The protocol is widely used by major vendors in modern industrial facilities, including manufacturing, pharmaceutical, oil and gas, among others.

Experts from Kaspersky analysed the protocol’s open-source code, including a sample server and discovered that current implementations of the protocol had code design and writing errors.

In most cases, the discovered flaws were caused by the developers not using some of the protocol implementation functions properly.

A senior security researcher from Kaspersky said many of the vulnerabilities would’ve been picked up by putting the product code through security checks.

They added: “Vulnerabilities can affect complete product lines, so it’s highly important that vendors pay close attention to such widely available technologies - even a brand new piece of software may still contain numerous vulnerabilities.”