CVE-2020-27267

Name of the Vulnerable Software and Affected Versions KEPServerEX versions 6.0 through 6.9 ThingWorx Kepware Server versions 6.8 through 6.9 ThingWorx Industrial Connectivity (all versions) OPC-Aggregator (all versions) Rockwell Automation KEPServer Enterprise (affected versions not specified) GE Digital Industrial Gateway Server versions 7.66 through 7.68.804 Software Toolbox TOP Server versions 6.x

Description The issue is related to a heap-based buffer overflow that can be triggered by opening a specifically crafted OPC UA message. This could allow an attacker to crash the server and potentially leak data. The vulnerability can be exploited remotely, leading to a denial of service.

Recommendations For KEPServerEX versions 6.0 through 6.9, update to a version that includes a fix for the heap-based buffer overflow issue. For ThingWorx Kepware Server versions 6.8 and 6.9, update to a version that includes a fix for the heap-based buffer overflow issue. For ThingWorx Industrial Connectivity, restrict access to the OPC UA message handling functionality until a patch is available. For OPC-Aggregator, avoid processing specially crafted OPC UA messages until a fix is applied. For Rockwell Automation KEPServer Enterprise, contact the vendor for specific guidance on mitigating the issue. For GE Digital Industrial Gateway Server versions 7.66 through 7.68.804, update to a version that includes a fix for the heap-based buffer overflow issue. For Software Toolbox TOP Server versions 6.x, update to a version that includes a fix for the heap-based buffer overflow issue.