CVE-2019-19135

Name of the Vulnerable Software and Affected Versions OPC Foundation OPC UA .NET Standard codebase versions 1.4.357.28 through 1.4.359.30

Description The issue allows man-in-the-middle attackers to reuse encrypted user credentials sent over the network due to insufficiently random numbers created by servers. This affects scenarios where the SecurityPolicy is None and username/password or X509-based authentication is used, particularly when the server has a defect causing it to send null/empty or zeroed nonces.

Recommendations For versions 1.4.357.28 through 1.4.359.30, update to version 1.4.359.31 or later to resolve the issue. As a temporary workaround, consider avoiding the use of username/password or X509-based authentication with a SecurityPolicy of None until the update is applied.