ghsa-fph9-f5r6-vhqf
Vulnerability from github
Published
2022-09-15 03:35
Modified
2022-09-15 03:35
Summary
Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)
Details

Impact

Denial of Service

Details

OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:

  • What is the maximum allowed number of concurrent sessions
  • For each active sessions - what is the maximum allowed number of concurrent subscription per a single session
  • For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription

Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.

The close session request closes a connected session. A deleteSubscription flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription flag is False the server will store the subscriptions thus filling up the memory in an unlimited manner.

Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.

To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.

Clarity PoC does: ``` while True: Open a valid OPC UA session Create multiple subscriptions Add monitored items to each subscription Close the session with the DeleteSubscriptions flag = False ````

Acknowledgement

We would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 (Claroty Research) for this report.

For more information

If you have any questions or comments about this advisory: * Open an issue in Eclipse Milo repository * Email us at milo-dev

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.milo:sdk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:35:46Z",
    "nvd_published_at": "2022-09-08T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nDenial of Service\n\n### Details\n\nOPC UA specification describes a concept named _Subscriptions_. _Subscriptions_ monitor a set of _Monitored Items_ for _Notifications_ and return them to the _Client_ in response to _Publish_ requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:\n\n* What is the maximum allowed number of concurrent sessions\n* For each active sessions - what is the maximum allowed number of concurrent subscription per a single session\n* For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription\n\nClarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.\n\nThe close session request closes a connected session. A `deleteSubscription` flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the `deleteSubscription` flag is `False` the server will store the subscriptions thus filling up the memory in an unlimited manner.\n\nSending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.\n\nTo trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.\n\nClarity PoC does:\n```\nwhile True:\n    Open a valid OPC UA session\n    Create multiple subscriptions\n    Add monitored items to each subscription\n    Close the session with the DeleteSubscriptions flag = False\n````\n\n### Acknowledgement\n\nWe would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 ([Claroty Research](https://claroty.com/)) for this report.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Eclipse Milo repository](https://github.com/eclipse/milo/issues)\n* Email us at [milo-dev](https://accounts.eclipse.org/mailing-list/milo-dev)\n",
  "id": "GHSA-fph9-f5r6-vhqf",
  "modified": "2022-09-15T03:35:46Z",
  "published": "2022-09-15T03:35:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/security/advisories/GHSA-fph9-f5r6-vhqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/issues/1030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/pull/1031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse/milo"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.