OpenPLC Runtime Input Validation Vulnerability Leading to Persistent Denial-of-Service

A persistent denial-of-service vulnerability has been identified in OpenPLC Runtime version 3.0 prior to the patch commit 095ee09623dd229b64ad3a1db38a901a3772f6fc. The issue arises from an input validation flaw in the '/upload-program-action' endpoint, where the 'epoch_time' field is not properly validated during program uploads. This allows for the injection of crafted values that can corrupt the programs database. After a successful upload of a malformed program, the runtime continues to function until it is restarted. However, upon restart, the runtime may fail to load due to corrupted database entries, leading to a persistent denial-of-service condition that requires a complete reinstallation of the product to recover.

Impact

Exploitation of this vulnerability causes a complete loss of runtime availability, with the application failing to start after a restart due to database corruption. This issue requires a full reinstallation of OpenPLC, causing significant downtime in industrial control system deployments.

Reproduction

The vulnerability can be reproduced by uploading a program through the '/upload-program-action' endpoint while providing an unvalidated 'epoch_time' value. This can be done by crafting a program upload that includes an invalid or excessively large integer in the 'epoch_time' field. Once the program is uploaded, the runtime will continue to operate until it is restarted. After the restart, the runtime will fail to start because of the corrupted database entries, demonstrating the persistent denial-of-service condition.

Remediation

Users can update to the latest version of OpenPLC Runtime v3, where this vulnerability has been fixed. The patch commit is available on the OpenPLC v3 GitHub repository.