Scribd Logo
Upload

Welcome to Scribd!

  • Us 21 A Broken Chain Discovering OPC UA Attack Surface and Exploiting The Supply Chain

    Uploaded by

    Ggs Mary
    114 views62 pages
    The document discusses discovering vulnerabilities in the supply chain of OPC-UA (Open Platform Communications Unified Architecture), an industrial automation protocol. It maps out the OPC-UA communication stack and its dependencies on specifications, programming languages, and commercial software development kits. The presenter aims to explore this attack surface and supply chain to identify potential exploitation points, building on previous academic work that identified security issues in OPC-UA deployments.

    Original Description:

    Original Title

    Us 21 a Broken Chain Discovering OPC UA Attack Surface and Exploiting the Supply Chain

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses discovering vulnerabilities in the supply chain of OPC-UA (Open Platform Communications Unified Architecture), an industrial automation protocol. It maps out the OPC-UA communication stack and its dependencies on specifications, programming languages, and commercial software development kits. The presenter aims to explore this attack surface and supply chain to identify potential exploitation points, building on previous academic work that identified security issues in OPC-UA deployments.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    114 views62 pages

    Us 21 A Broken Chain Discovering OPC UA Attack Surface and Exploiting The Supply Chain

    Uploaded by

    Ggs Mary
    The document discusses discovering vulnerabilities in the supply chain of OPC-UA (Open Platform Communications Unified Architecture), an industrial automation protocol. It maps out the OPC-UA communication stack and its dependencies on specifications, programming languages, and commercial software development kits. The presenter aims to explore this attack surface and supply chain to identify potential exploitation points, building on previous academic work that identified security issues in OPC-UA deployments.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 62

    A Broken Chain:

    Discovering OPC-UA
    Attack Surface and Exploiting the Supply-chain
    By Eran Jacob

    #BHUSA @BlackHatEvents
    Who am I?
    Eran Jacob
    Security Research Team Leader
    @EranJacob
    linkedin.com/in/eranj

    Roman Dvorkin Alon Zini


    linkedin.com/in/roman-dvorkin linkedin.com/in/alon-zini-3b9698185
    #BHUSA @BlackHatEvents
    Agenda
    Supply-chain
    Intro Exploitation

    The Attack Fuzzing


    Surface
    #BHUSA @BlackHatEvents
    Automation Protocols

    Manufacturing Critical Infrastructure Buildings, Traffic..

    #BHUSA @BlackHatEvents
    Automation Protocols

    #BHUSA @BlackHatEvents
    OPC Classic
    Open Platform Communications

    - Data Access
    - Alarms and Events
    - Historical Data Access

    Distributed Component
    Object Model Firewall unfriendly Security

    #BHUSA @BlackHatEvents
    OPC Unified Architecture
    Cloud
    Cloud/IT
    ERP

    3.
    MES
    2. SCADA

    Relay Broker

    1. HMI Controller Controller

    OT 4.
    Field Devices Field Devices

    #BHUSA @BlackHatEvents
    OPC Unified Architecture
    Cloud
    Cloud/IT
    ERP

    3.
    MES
    2. SCADA

    Relay Broker

    1. HMI Controller Controller

    OT 4.
    Field Devices Field Devices

    #BHUSA @BlackHatEvents
    Motivation for Research
    • The “next-thing” in industrial
    communication
    • Highly adopted
    • Significant potential impact

    #BHUSA @BlackHatEvents
    Discovering the Attack Surface
    02 or at least some of it..

    #BHUSA @BlackHatEvents
    Mapping the surface
    Specifications Communication
    Stack

    .NET Standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents
    Mapping the surface
    Specifications Communication
    Stack

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents
    Mapping the surface
    Specifications Communication Commercial
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    ** This mapping is based on our best effort & knowledge; some #BHUSA @BlackHatEvents
    vendors or relations may be missing or inaccurate **
    Mapping the surface

    C / C++

    .NET

    #BHUSA @BlackHatEvents
    Mapping the surface

    C / C++

    #BHUSA @BlackHatEvents
    Mapping the surface

    C / C++

    #BHUSA @BlackHatEvents
    Mapping the surface

    C / C++

    TB5STACK.dll uastack.dll uastack.dll


    #BHUSA @BlackHatEvents
    Mapping the surface

    .NET

    #BHUSA @BlackHatEvents
    Mapping the surface
    Specifications Communication Commercial
    Stack SDKs

    .NET standard “The vast majority of


    .NET legacy OPC UA products are
    ANSI C legacy based on these
    JAVA legacy commercial OPC UA
    SDK/Toolkits”
    OPC Foundation

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Mapping the surface
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Chain of Dependency
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Pervious Work

    Active 2017 2018, 2020 2021 …


    OPC Foundation German Office for Kaspersky Claroty Academic papers
    Security Working Information
    Group Security (BSI) 2021
    o Practical Pitfalls for Security in
    OPC UA
    2020
    o Assessing the Security of OPC
    UA Deployments
    o …
    #BHUSA @BlackHatEvents
    03 Exploiting the supply chain

    #BHUSA @BlackHatEvents
    Chain of Dependency
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    OPC UA Connection
    Client Server
    HEL Hello
    Acknowledge ACK
    Transport
    OpenSecureChannelRequest
    OPN Secure Channel: Confidentiality, Integrity, App
    OpenSecureChannelResponse Authentication
    OPN
    MSG CreateSessionRequest
    CreateSessionResponse MSG
    Session: User Authentication & Authorization
    MSG ActivateSessionRequest
    ActivateSessionResponse
    MSG
    MSG …

    MSG

    MSG Messages: Read, Write, Call…
    MSG
    CLO CloseSecureChannelRequest

    #BHUSA @BlackHatEvents
    Reading the Reference
    Complex Datatypes
    Variants, Extension Objects, Structures

    Flexible Encoding
    Binary, XML, JSON

    Pre-security messages
    (OpenSecureChannel, GetEndpoints , FindServers…)

    #BHUSA @BlackHatEvents

    https://tyk.io/great-api-documentation-requires-code-examples/
    Chain of Dependency
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Object
    Breaking the .NET Stack
    • NET doesn’t like deep function calls… Inner Object
    • The reference alerts of such risk when describing nested data types.
    XML/Binary
    • A related issue was already found in the past (CVE-2018-12086):

    #BHUSA @BlackHatEvents
    Nested Data Types
    Variant Extension Object
    (UNION) (Structure Container)

    OPC UA Structure
    Array/Matrix Built in data type
    XML/Binary

    Diagnostic Info Data Value

    Inner diagnostic info Variant

    #BHUSA @BlackHatEvents
    Variant
    (UNION)

    Unlimited Nesting Built in


    XML OPC UA Decoder Array/Matrix
    data type

    #BHUSA @BlackHatEvents
    Extension Object
    (Structure Container)

    Nested Structures
    - Extension Objects! OPC UA Structure
    - VERY useful for pivoting our way to vulnerable parts of the stacks
    - Used in messages before channel or session security (in both directions) XML/Binary

    Client Server

    HEL Hello
    Acknowledge ACK
    Transport
    OpenSecureChannelRequest
    OPN Secure Channel: Confidentiality, Integrity, App
    OpenSecureChannelResponse Authentication
    OPN
    MSG CreateSessionRequest
    CreateSessionResponse MSG
    Session: User Authentication & Authorization
    MSG ActivateSessionRequest
    ActivateSessionResponse
    MSG
    MSG …

    MSG

    MSG Messages: Read, Write, Call…
    MSG
    CLO CloseSecureChannelRequest #BHUSA @BlackHatEvents
    Extension Object
    (Structure Container)

    Nested Structures
    OPC UA Structure
    OpenSecureChannelRequest
    OPN XML/Binary

    #BHUSA @BlackHatEvents
    Extension Object
    (Structure Container)

    Nested
    -
    Structures
    Chunks. OPC UA Structure

    XML/Binary
    Client Server
    HEL Hello
    Acknowledge ACK Transport connection
    OpenSecureChannelRequest
    OPN Secure Channel: Confidentiality, Integrity, App
    OpenSecureChannelResponse Authentication
    OPN
    MSG CreateSessionRequest
    CreateSessionResponse MSG
    Session: User Authentication & Authentication
    MSG ActivateSessionRequest
    ActivateSessionResponse
    MSG
    MSG …

    MSG
    … Messages: Read, Write, Call…
    MSG

    MSG
    CLO CloseSecureChannelRequest
    #BHUSA @BlackHatEvents
    Extension Object
    (Structure Container)

    Nested
    -
    Structures
    Chunks. OPC UA Structure

    XML/Binary
    Client Server
    HEL Hello
    Acknowledge ACK Transport connection
    OpenSecureChannelRequest
    OPN Secure Channel: security mode = NONE
    OpenSecureChannelResponse
    OPN
    MSG FindServersRequest
    FindServersResponse FindServers
    MSG

    CLO CloseSecureChannelRequest

    #BHUSA @BlackHatEvents
    .NET Stack Vulnerability
    6 years old 0 day
    CVE-2021-27432

    #BHUSA @BlackHatEvents
    .NET Stack Vulnerability
    Client -> Server

    Main Site

    Remote Site 1 Remote Site 2

    PC
    Loss of visibility & control Loss of visibility & control
    OPC UA SERVER SCADA OPC UA SERVER
    (OPC UA client)

    PLC HMI PLC


    #BHUSA @BlackHatEvents
    .NET Stack Vulnerability
    Server -> Client

    Main Site

    Remote Site 1 Remote Site 2

    PC
    Loss of visibility & control Loss of visibility & control
    OPC UA SERVER SCADA OPC UA SERVER
    (OPC UA client)

    PLC HMI PLC


    #BHUSA @BlackHatEvents
    Unified Automation .NET SDK
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Unified Automation .NET SDK
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    XXE. Again. CVE-2021-27434

    • Code refactoring reintroduced the vulnerability


    • Exploitable over Extension Object decoding

    *XXE = XML External Entity #BHUSA @BlackHatEvents


    SDK XXE Vulnerability Impact
    Client -> Server

    IT Network

    OT Network

    OPC UA SERVER

    PLC HMI PLC


    #BHUSA @BlackHatEvents
    Softing C++ OPC UA SDK
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Softing C++ OPC UA SDK

    SDK interface (API) TB5CPP

    SDK-level processing TB5OT Softing’s SDK C++ objects

    TB5UTIL
    Stack-level processing TB5STACK Foundation’s ANSI C stack structures

    #BHUSA @BlackHatEvents
    From Binary to Objects
    TB5STACK

    Binary Message

    SDK C++
    Objects
    TB5OT

    C Structures

    #BHUSA @BlackHatEvents
    https://www.flaticon.com/free-icon/documents_160085
    Extension Object
    (Structure Container)

    Foundation’s Extension Object


    Looking at the Legacy ANCI C stack OPC UA Structure…
    decoded Extension Objects are stored in a specific structure XML/Binary

    ID of the contained structure


    Encoding of the BODY

    BODY UNION

    #BHUSA @BlackHatEvents
    Foundation’s ExtensionObject
    Zooming into the ExtensionObject body union

    Int32, Byte*

    Int32, Byte*

    Object* , EncodableType*

    #BHUSA @BlackHatEvents
    Foundation’s ExtensionObject

    MUST be validated
    ID of the contained structure
    Encoding of the BODY MUST be validated

    BODY UNION

    #BHUSA @BlackHatEvents
    Setting C++ Objects
    TB5STACK

    Binary Message

    SDK C++
    Extension Object Struct Objects
    TB5OT
    TypeID: X/Y/Z..

    Encoding: EncodeableObject

    Body: decoded object

    C Structure

    #BHUSA @BlackHatEvents
    https://www.flaticon.com/free-icon/documents_160085
    Skipping Internal Structure Decoding
    1. XML..

    2. Type-ID encoding

    #BHUSA @BlackHatEvents
    Setting C++ Objects
    TB5STACK

    Binary Message

    SDK C++
    Extension Object Struct Objects
    TB5OT
    TypeID: X/Y/Z..

    Encoding: XML/Binary

    Body: ByteString object

    C Structure

    #BHUSA @BlackHatEvents
    https://www.flaticon.com/free-icon/documents_160085
    Setting C++ Objects
    TB5STACK

    Binary Message

    SDK C++
    Extension Object Struct Objects
    TB5OT
    TypeID: X/Y/Z..

    Encoding: XML/Binary

    Body: ByteString object

    C Structure

    #BHUSA @BlackHatEvents
    https://www.flaticon.com/free-icon/documents_160085
    A word about PubSub
    Option: Publish/Subscribe in the Cloud

    Subscriber : Client
    Subscriber : Client
    Subscriber : Client

    Publisher/Sender : Server
    Subscriber : Client
    Subscriber : Client
    Subscriber : Client
    Relay Broker
    Publisher/Sender : Server
    Subscriber : Client
    Subscriber : Client
    Subscriber : Client

    Option: Secure Multicast

    Subscriber : Client Subscriber : Client

    Subscriber : Client Subscriber : Client Publisher/Sender : Server


    #BHUSA @BlackHatEvents
    Variant
    (UNION)

    Exploiting the Object Setters Built in


    Array/Matrix
    data type
    Network Message

    DataSetMetaData (DiscoveryResponse)
    FieldMetaDataArray

    KeyValuePair

    Variant
    ExtensionObject

    Subscriber : Client

    Subscriber : Client Publisher/Sender : Server

    Subscriber : Client

    #BHUSA @BlackHatEvents
    • Demo? Multicast pubsub, RT communication..

    #BHUSA @BlackHatEvents
    Setting C++ Objects CVE-2021-32994

    TB5STACK

    Binary
    Message

    Extension Object Struct SDK C++


    Extension Object Struct Objects
    Extension
    TypeID: X/Y/Z..
    Object Struct
    TB5OT
    TypeID: X/Y/Z..
    Encoding: XML/Binary

    7x TypeID: X/Y/Z.. XML/Binary


    Encoding:
    Body: ByteString object
    Encoding:
    Body:XML/Binary
    ByteString object
    Body: ByteString object

    C Structure
    #BHUSA @BlackHatEvents

    https://www.123rf.com/photo_141980838_stock-vector-crumpled-cube-box-icon-black-illustration-of-damage-breakage-pain-damnification-contour-isolated-vec.html
    Not a one-time mistake…

    #BHUSA @BlackHatEvents
    Products
    Specifications Communication Commercial Products
    Stack SDKs

    .NET standard
    .NET legacy
    ANSI C legacy

    JAVA legacy

    #BHUSA @BlackHatEvents

    ** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
    Products

    Integration
    Configurations
    with OPC UA SDK/stack

    #BHUSA @BlackHatEvents
    SDK Integration
    Required Interfaces
    ServerConfig, NodeManager, IOManager

    Optional Interfaces
    MethodManager, EventManager, HistoryManager

    #BHUSA @BlackHatEvents
    http://documentation.unified-automation.com/uasdkcpp/1.4.2/html/L1ServerSdkIntroduction.html
    Fuzzing Products
    IOManager:
    * Read
    * Write

    * Monitor Items

    #BHUSA @BlackHatEvents
    Summary

    Cloud

    ERP

    MES
    SCADA

    Relay Broker

    HMI Controller Controller

    Field Field
    Devices Devices

    #BHUSA @BlackHatEvents
    Stay Safe!
    Eran Jacob
    @EranJacob
    linkedin.com/in/eranj

    Special thanks to
    Matan Dobrushin Roman Dvorkin Alon Zini
    @matan_dob linkedin.com/in/roman-dvorkin linkedin.com/in/alon-zini-3b9698185

    and the rest of the team

    You might also like