Описание
Insufficient Nonce Validation in Eclipse Milo Client
Impact
Credential replay affecting those connected to a server when all 3 of the following conditions are met:
SecurityPolicyisNone- using username/password or X509-based authentication
- the server has a defect causing it to send null/empty or zeroed nonces
Patches
The problem has been patched in version 0.3.6. A more relaxed treatment of validation as agreed upon by the OPC UA Security Working Group is implemented in version 0.3.7.
Workarounds
Do not use username/password or X509-based authentication with SecurityPolicy of None.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/eclipse/milo/issues
- Email the mailing list
Ссылки
- https://github.com/eclipse/milo/security/advisories/GHSA-pq4w-qm9g-qx68
- https://nvd.nist.gov/vuln/detail/CVE-2019-19135
- https://github.com/eclipse/milo/commit/cac0e710bf2b8bed9c602fc597e9de1d8903abed
- https://opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2019-19135.pdf
- https://opcfoundation.org/security-bulletins
Пакеты
org.eclipse.milo:sdk-client
<= 0.3.4
0.3.6
Связанные уязвимости
In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.