Skip to content

Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)

High severity GitHub Reviewed Published Sep 7, 2022 in eclipse-milo/milo • Updated Feb 2, 2023

Package

maven org.eclipse.milo:sdk-server (Maven)

Affected versions

< 0.6.8

Patched versions

0.6.8

Description

Impact

Denial of Service

Details

OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:

  • What is the maximum allowed number of concurrent sessions
  • For each active sessions - what is the maximum allowed number of concurrent subscription per a single session
  • For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription

Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.

The close session request closes a connected session. A deleteSubscription flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription flag is False the server will store the subscriptions thus filling up the memory in an unlimited manner.

Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.

To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.

Clarity PoC does:

while True:
    Open a valid OPC UA session
    Create multiple subscriptions
    Add monitored items to each subscription
    Close the session with the DeleteSubscriptions flag = False

Acknowledgement

We would like to thanks Vera Mens, Uri Katz, @SharonBrizinov of Team82 (Claroty Research) for this report.

For more information

If you have any questions or comments about this advisory:

References

@eclipsewebmaster eclipsewebmaster published to eclipse-milo/milo Sep 7, 2022
Published by the National Vulnerability Database Sep 8, 2022
Published to the GitHub Advisory Database Sep 15, 2022
Reviewed Sep 15, 2022
Last updated Feb 2, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

0.222%
(61st percentile)

Weaknesses

CVE ID

CVE-2022-25897

GHSA ID

GHSA-fph9-f5r6-vhqf

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.