Professional Documents
Culture Documents
Us 21 A Broken Chain Discovering OPC UA Attack Surface and Exploiting The Supply Chain
Us 21 A Broken Chain Discovering OPC UA Attack Surface and Exploiting The Supply Chain
Discovering OPC-UA
Attack Surface and Exploiting the Supply-chain
By Eran Jacob
#BHUSA @BlackHatEvents
Who am I?
Eran Jacob
Security Research Team Leader
@EranJacob
linkedin.com/in/eranj
#BHUSA @BlackHatEvents
Automation Protocols
#BHUSA @BlackHatEvents
OPC Classic
Open Platform Communications
- Data Access
- Alarms and Events
- Historical Data Access
Distributed Component
Object Model Firewall unfriendly Security
#BHUSA @BlackHatEvents
OPC Unified Architecture
Cloud
Cloud/IT
ERP
3.
MES
2. SCADA
Relay Broker
OT 4.
Field Devices Field Devices
#BHUSA @BlackHatEvents
OPC Unified Architecture
Cloud
Cloud/IT
ERP
3.
MES
2. SCADA
Relay Broker
OT 4.
Field Devices Field Devices
#BHUSA @BlackHatEvents
Motivation for Research
• The “next-thing” in industrial
communication
• Highly adopted
• Significant potential impact
#BHUSA @BlackHatEvents
Discovering the Attack Surface
02 or at least some of it..
#BHUSA @BlackHatEvents
Mapping the surface
Specifications Communication
Stack
.NET Standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
Mapping the surface
Specifications Communication
Stack
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
Mapping the surface
Specifications Communication Commercial
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
** This mapping is based on our best effort & knowledge; some #BHUSA @BlackHatEvents
vendors or relations may be missing or inaccurate **
Mapping the surface
C / C++
.NET
#BHUSA @BlackHatEvents
Mapping the surface
C / C++
#BHUSA @BlackHatEvents
Mapping the surface
C / C++
#BHUSA @BlackHatEvents
Mapping the surface
C / C++
.NET
#BHUSA @BlackHatEvents
Mapping the surface
Specifications Communication Commercial
Stack SDKs
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Mapping the surface
Specifications Communication Commercial Products
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Chain of Dependency
Specifications Communication Commercial Products
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Pervious Work
#BHUSA @BlackHatEvents
Chain of Dependency
Specifications Communication Commercial Products
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
OPC UA Connection
Client Server
HEL Hello
Acknowledge ACK
Transport
OpenSecureChannelRequest
OPN Secure Channel: Confidentiality, Integrity, App
OpenSecureChannelResponse Authentication
OPN
MSG CreateSessionRequest
CreateSessionResponse MSG
Session: User Authentication & Authorization
MSG ActivateSessionRequest
ActivateSessionResponse
MSG
MSG …
MSG
…
MSG Messages: Read, Write, Call…
MSG
CLO CloseSecureChannelRequest
#BHUSA @BlackHatEvents
Reading the Reference
Complex Datatypes
Variants, Extension Objects, Structures
Flexible Encoding
Binary, XML, JSON
Pre-security messages
(OpenSecureChannel, GetEndpoints , FindServers…)
#BHUSA @BlackHatEvents
https://tyk.io/great-api-documentation-requires-code-examples/
Chain of Dependency
Specifications Communication Commercial Products
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Object
Breaking the .NET Stack
• NET doesn’t like deep function calls… Inner Object
• The reference alerts of such risk when describing nested data types.
XML/Binary
• A related issue was already found in the past (CVE-2018-12086):
#BHUSA @BlackHatEvents
Nested Data Types
Variant Extension Object
(UNION) (Structure Container)
OPC UA Structure
Array/Matrix Built in data type
XML/Binary
#BHUSA @BlackHatEvents
Variant
(UNION)
#BHUSA @BlackHatEvents
Extension Object
(Structure Container)
Nested Structures
- Extension Objects! OPC UA Structure
- VERY useful for pivoting our way to vulnerable parts of the stacks
- Used in messages before channel or session security (in both directions) XML/Binary
Client Server
HEL Hello
Acknowledge ACK
Transport
OpenSecureChannelRequest
OPN Secure Channel: Confidentiality, Integrity, App
OpenSecureChannelResponse Authentication
OPN
MSG CreateSessionRequest
CreateSessionResponse MSG
Session: User Authentication & Authorization
MSG ActivateSessionRequest
ActivateSessionResponse
MSG
MSG …
MSG
…
MSG Messages: Read, Write, Call…
MSG
CLO CloseSecureChannelRequest #BHUSA @BlackHatEvents
Extension Object
(Structure Container)
Nested Structures
OPC UA Structure
OpenSecureChannelRequest
OPN XML/Binary
#BHUSA @BlackHatEvents
Extension Object
(Structure Container)
Nested
-
Structures
Chunks. OPC UA Structure
XML/Binary
Client Server
HEL Hello
Acknowledge ACK Transport connection
OpenSecureChannelRequest
OPN Secure Channel: Confidentiality, Integrity, App
OpenSecureChannelResponse Authentication
OPN
MSG CreateSessionRequest
CreateSessionResponse MSG
Session: User Authentication & Authentication
MSG ActivateSessionRequest
ActivateSessionResponse
MSG
MSG …
MSG
… Messages: Read, Write, Call…
MSG
MSG
CLO CloseSecureChannelRequest
#BHUSA @BlackHatEvents
Extension Object
(Structure Container)
Nested
-
Structures
Chunks. OPC UA Structure
XML/Binary
Client Server
HEL Hello
Acknowledge ACK Transport connection
OpenSecureChannelRequest
OPN Secure Channel: security mode = NONE
OpenSecureChannelResponse
OPN
MSG FindServersRequest
FindServersResponse FindServers
MSG
CLO CloseSecureChannelRequest
#BHUSA @BlackHatEvents
.NET Stack Vulnerability
6 years old 0 day
CVE-2021-27432
#BHUSA @BlackHatEvents
.NET Stack Vulnerability
Client -> Server
Main Site
PC
Loss of visibility & control Loss of visibility & control
OPC UA SERVER SCADA OPC UA SERVER
(OPC UA client)
Main Site
PC
Loss of visibility & control Loss of visibility & control
OPC UA SERVER SCADA OPC UA SERVER
(OPC UA client)
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Unified Automation .NET SDK
Specifications Communication Commercial Products
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
XXE. Again. CVE-2021-27434
IT Network
OT Network
OPC UA SERVER
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Softing C++ OPC UA SDK
TB5UTIL
Stack-level processing TB5STACK Foundation’s ANSI C stack structures
#BHUSA @BlackHatEvents
From Binary to Objects
TB5STACK
Binary Message
SDK C++
Objects
TB5OT
C Structures
#BHUSA @BlackHatEvents
https://www.flaticon.com/free-icon/documents_160085
Extension Object
(Structure Container)
BODY UNION
#BHUSA @BlackHatEvents
Foundation’s ExtensionObject
Zooming into the ExtensionObject body union
Int32, Byte*
Int32, Byte*
Object* , EncodableType*
#BHUSA @BlackHatEvents
Foundation’s ExtensionObject
MUST be validated
ID of the contained structure
Encoding of the BODY MUST be validated
BODY UNION
#BHUSA @BlackHatEvents
Setting C++ Objects
TB5STACK
Binary Message
SDK C++
Extension Object Struct Objects
TB5OT
TypeID: X/Y/Z..
Encoding: EncodeableObject
C Structure
#BHUSA @BlackHatEvents
https://www.flaticon.com/free-icon/documents_160085
Skipping Internal Structure Decoding
1. XML..
2. Type-ID encoding
#BHUSA @BlackHatEvents
Setting C++ Objects
TB5STACK
Binary Message
SDK C++
Extension Object Struct Objects
TB5OT
TypeID: X/Y/Z..
Encoding: XML/Binary
C Structure
#BHUSA @BlackHatEvents
https://www.flaticon.com/free-icon/documents_160085
Setting C++ Objects
TB5STACK
Binary Message
SDK C++
Extension Object Struct Objects
TB5OT
TypeID: X/Y/Z..
Encoding: XML/Binary
C Structure
#BHUSA @BlackHatEvents
https://www.flaticon.com/free-icon/documents_160085
A word about PubSub
Option: Publish/Subscribe in the Cloud
Subscriber : Client
Subscriber : Client
Subscriber : Client
Publisher/Sender : Server
Subscriber : Client
Subscriber : Client
Subscriber : Client
Relay Broker
Publisher/Sender : Server
Subscriber : Client
Subscriber : Client
Subscriber : Client
DataSetMetaData (DiscoveryResponse)
FieldMetaDataArray
KeyValuePair
Variant
ExtensionObject
Subscriber : Client
Subscriber : Client
#BHUSA @BlackHatEvents
• Demo? Multicast pubsub, RT communication..
#BHUSA @BlackHatEvents
Setting C++ Objects CVE-2021-32994
TB5STACK
Binary
Message
C Structure
#BHUSA @BlackHatEvents
https://www.123rf.com/photo_141980838_stock-vector-crumpled-cube-box-icon-black-illustration-of-damage-breakage-pain-damnification-contour-isolated-vec.html
Not a one-time mistake…
#BHUSA @BlackHatEvents
Products
Specifications Communication Commercial Products
Stack SDKs
.NET standard
.NET legacy
ANSI C legacy
JAVA legacy
#BHUSA @BlackHatEvents
** This mapping is based on our best effort & knowledge; some vendors or relations may be missing or inaccurate **
Products
Integration
Configurations
with OPC UA SDK/stack
#BHUSA @BlackHatEvents
SDK Integration
Required Interfaces
ServerConfig, NodeManager, IOManager
Optional Interfaces
MethodManager, EventManager, HistoryManager
#BHUSA @BlackHatEvents
http://documentation.unified-automation.com/uasdkcpp/1.4.2/html/L1ServerSdkIntroduction.html
Fuzzing Products
IOManager:
* Read
* Write
…
* Monitor Items
#BHUSA @BlackHatEvents
Summary
Cloud
ERP
MES
SCADA
Relay Broker
Field Field
Devices Devices
#BHUSA @BlackHatEvents
Stay Safe!
Eran Jacob
@EranJacob
linkedin.com/in/eranj
Special thanks to
Matan Dobrushin Roman Dvorkin Alon Zini
@matan_dob linkedin.com/in/roman-dvorkin linkedin.com/in/alon-zini-3b9698185