CVE-2020-27263

Name of the Vulnerable Software and Affected Versions KEPServerEX versions 6.0 through 6.9 ThingWorx Kepware Server versions 6.8 through 6.9 ThingWorx Industrial Connectivity (affected versions not specified) OPC-Aggregator (affected versions not specified) Rockwell Automation KEPServer Enterprise (affected versions not specified) GE Digital Industrial Gateway Server versions 7.66 through 7.68.804 Software Toolbox TOP Server versions 6.x

Description The issue is related to a heap-based buffer overflow that can occur when a specifically crafted OPC UA message is opened, potentially allowing an attacker to crash the server and leak data. This can be exploited by a remote attacker to gain access to protected information or cause a denial of service.

Recommendations For KEPServerEX versions 6.0 through 6.9, update to a version outside of this range to mitigate the issue. For ThingWorx Kepware Server versions 6.8 through 6.9, update to a version outside of this range to mitigate the issue. For ThingWorx Industrial Connectivity, OPC-Aggregator, and Rockwell Automation KEPServer Enterprise, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For GE Digital Industrial Gateway Server versions 7.66 through 7.68.804, update to a version outside of this range to mitigate the issue. For Software Toolbox TOP Server versions 6.x, update to a version outside of the 6.x range to mitigate the issue.