CVE-2022-37012
Published: 29 March 2023
Summary
CVE-2022-37012 is a high-severity Improper Update of Reference Count (CWE-911) vulnerability in Unified-Automation Opc Ua C\+\+ Demo Server. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
This vulnerability affects Unified Automation OPC UA C++ Demo Server version 1.7.6-537 and resides in the OpcUa_SecureListener_ProcessSessionCallRequest method. A remote attacker can submit a specially crafted OPC UA message that causes the server to mishandle a reference count, triggering a denial-of-service condition. The issue carries a CVSS 3.1 score of 7.5 and maps to CWE-911; no authentication or user interaction is required.
An unauthenticated attacker with network access to an affected installation can repeatedly send the malicious message to crash or hang the server, disrupting any OPC UA clients that depend on it. Because the flaw is triggered at the protocol-message level, exploitation requires only the ability to reach the server’s listening port.
Vendor documentation for the 1.7.7 release and the corresponding Zero Day Initiative advisory ZDI-22-1030 indicate that the reference-count handling error has been corrected in that update. Administrators are advised to upgrade from 1.7.6-537 to 1.7.7 or later to eliminate the flaw.
The associated EPSS score has remained flat at 0.0691 since disclosure, indicating no significant increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39669
Vulnerability details
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpcUa_SecureListener_ProcessSessionCallRequest method. A crafted…
more
OPC UA message can force the server to incorrectly update a reference count. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-16927.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.