Merge pull request #1701 from HackTricks-wiki/research_update_src_network-services-pentesting_4840-pentesting-opc-ua_20251221_014937

carlospolop · web-flow · commit 13e90d48218a · 2025-12-25T21:09:44.000+01:00
Research Update Enhanced src/network-services-pentesting/484...
diff --git a/src/network-services-pentesting/4840-pentesting-opc-ua.md b/src/network-services-pentesting/4840-pentesting-opc-ua.md
@@ -65,8 +65,14 @@ opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port
   1. Enumerate policies with `GetEndpoints` and note any `Basic128Rsa15` entries.
   2. Negotiate that policy explicitly (`SecurityPolicyUri` in `CreateSession`), then run your oracle loop until the recovered key validates.
   3. Abuse the key to forge a high-privilege session, switch roles, or silently downgrade other clients by acting as a rogue reverse proxy.
+- **CODESYS Runtime Toolkit (<3.5.21.0)** re-enabled Basic128Rsa15 whenever integrators compile with `CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY`. Flip that flag, re-run the oracle workflow above, and you can leak the runtime's private key to impersonate trusted engineering workstations until patch level 3.5.21.0 or later is deployed.
 - OPC Foundation simultaneously published CVE-2024-42513 for HTTPS bindings. Even if your target claims TLS, make sure it is not silently falling back to Basic128Rsa15 for the binary transport behind the proxy.
 
+### 2024-2025 exploit watchlist
+
+- **open62541 fuzz_binary_decode (CVE-2024-53429):** SecureChannel chunks that declare oversized `ExtensionObject` bodies make the decoder dereference freed memory, so a pre-auth attacker can repeatedly crash UA servers that embed open62541 ≤1.4.6. Reuse the Claroty corpus (`opcua_message_boofuzz_db`) or craft your own Boofuzz harness to spam mutated `OpenSecureChannel` requests until the watchdog kills the process, then re-enumerate because many integrators fall back to anonymous mode after the reboot.
+- **Softing OPC UA C++ SDK / edgeConnector / edgeAggregator (CVE-2025-7390):** The TLS client-auth pipeline accepts any certificate that replays a trusted Common Name, so you can mint a throwaway cert, copy the CN from a plant engineer, and log in with arbitrary `UserNameIdentityToken` or `IssuedIdentityToken` data. Pair this with a downgrade to Basic128Rsa15 to strip integrity checks and persistently impersonate operators until trustlists are rebuilt.
+
 ### Crafting OPC UA clients for exploitation
 
 - **Custom clients:** Drop-in libraries (python-opcua/asyncua, node-opcua, open62541) let you drive exploit logic yourself. Always enforce your target namespace index to avoid accidental cross-namespace writes when vendors reorder namespaces after firmware updates.
@@ -114,6 +120,8 @@ Combine the search with vendor strings (`"Ignition OPC UA"`, `"KepServerEX"`) or
 - [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/)
 - [https://github.com/claroty/opcua-exploit-framework](https://github.com/claroty/opcua-exploit-framework)
 - [https://certvde.com/en/advisories/VDE-2025-022/](https://certvde.com/en/advisories/VDE-2025-022/)
+- [https://nvd.nist.gov/vuln/detail/CVE-2024-53429](https://nvd.nist.gov/vuln/detail/CVE-2024-53429)
+- [https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html](https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html)
 
 
 {{#include ../banners/hacktricks-training.md}}
