PT-2022-4448 · Asyncua+2 · Asyncua+2
Sharon Brizinov
+2
·
Published
2022-08-23
·
Updated
2022-09-06
·
CVE-2022-25304
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
opcua versions all
asyncua versions all
Description
The issue is related to an uncontrolled consumption of resources in the opcua and asyncua libraries. This can be exploited by a remote attacker to cause a denial of service. The vulnerability is due to a missing limitation on the number of received chunks per single session or in total for all concurrent sessions. An attacker can exploit this by sending a large number of huge chunks without sending the final closing chunk.
Recommendations
For opcua all versions, consider implementing a limitation on the number of received chunks per session to prevent exploitation.
For asyncua all versions, consider implementing a limitation on the number of received chunks per session to prevent exploitation.
As a temporary workaround, consider restricting the size of chunks that can be received by the library to minimize the risk of exploitation.
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Asyncua
Opcua