B&R Automation Studio Improper Certificate Validation Vulnerability Allowing Data Interception
Vulnerability
A vulnerability exists in the OPC-UA client and ANSL over TLS client in B&R Automation Studio versions prior to 6.5. This vulnerability allows an unauthenticated attacker on the network to intercept and interfere with data exchanges by spoofing a trusted server. The issue arises from insufficient validation of server certificates, which could enable an attacker to masquerade as a trusted entity during communications.
Impact
Exploitation of this vulnerability could lead to unauthorized interception and manipulation of data exchanges between B&R Automation Studio and ANSL or OPC-UA servers. An attacker could spoof a trusted server, potentially causing the disclosure of confidential information or unauthorized alteration of data in transit.
Remediation
Users are advised to update to B&R Automation Studio version 6.5, where this vulnerability has been addressed. The update process is described in the user manual.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.