CVE-2021-32994 - OpenCVE

Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don't properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Softing	Opc Ua C\+\+ Software Development Kit

Configuration 1 [-]

cpe:2.3:a:softing:opc_ua_c\+\+_software_development_kit:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-04T19:45:58

Updated: 2024-08-03T23:42:18.878Z

Reserved: 2021-05-13T00:00:00

Link: CVE-2021-32994

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-04T20:15:09.260

Modified: 2022-04-13T13:25:27.530

Link: CVE-2021-32994

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "OPC UA C++ SDK (Software Development Kit)", "vendor": "Softing", "versions": [{"lessThan": "5.64", "status": "affected", "version": "5.59", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Eran Jacob of OTORIO reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "value": "Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don't properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-04T19:45:58", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02"}], "solutions": [{"lang": "en", "value": "Softing has released version 5.65 to address this vulnerability and has notified known users of the release. As this vulnerability only affects the publisher and subscriber protocol, Softing highly recommends customers using this protocol to upgrade to the latest version or disable the functionality. Please download the latest software package from the Softing website. "}], "source": {"advisory": "ICSA-21-166-02", "discovery": "EXTERNAL"}, "title": "Softing OPC-UA C++ SDK Improper Restriction of Operations within the Bounds of a Memory Buffer", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-32994", "STATE": "PUBLIC", "TITLE": "Softing OPC-UA C++ SDK Improper Restriction of Operations within the Bounds of a Memory Buffer"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OPC UA C++ SDK (Software Development Kit)", "version": {"version_data": [{"version_affected": "<", "version_name": "5.59", "version_value": "5.64"}]}}]}, "vendor_name": "Softing"}]}}, "credit": [{"lang": "eng", "value": "Eran Jacob of OTORIO reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don't properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02"}]}, "solution": [{"lang": "en", "value": "Softing has released version 5.65 to address this vulnerability and has notified known users of the release. As this vulnerability only affects the publisher and subscriber protocol, Softing highly recommends customers using this protocol to upgrade to the latest version or disable the functionality. Please download the latest software package from the Softing website. "}], "source": {"advisory": "ICSA-21-166-02", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:18.878Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-32994", "datePublished": "2022-04-04T19:45:58", "dateReserved": "2021-05-13T00:00:00", "dateUpdated": "2024-08-03T23:42:18.878Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softing:opc_ua_c\\+\\+_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "C954A776-FD68-472D-AAE7-76F4D520AC23", "versionEndExcluding": "5.65.0", "versionStartIncluding": "5.59.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don't properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations."}, {"lang": "es", "value": "Softing OPC UA C++ SDK (Software Development Kit) versiones desde 5.59 hasta 5.64, exportan funciones de biblioteca que no comprueban apropiadamente los objetos de extensi\u00f3n recibidos, lo que puede permitir a un atacante bloquear el software mediante el env\u00edo de una variedad de paquetes especialmente dise\u00f1ados para acceder a varias ubicaciones de memoria no esperadas"}], "id": "CVE-2021-32994", "lastModified": "2022-04-13T13:25:27.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-04-04T20:15:09.260", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}