S2OPC CycloneCrypto Library Certificate Revocation Vulnerability

A vulnerability exists in the S2OPC library's CycloneCrypto cryptographic wrapper, where the certificate revocation check only considers the first matching Certificate Revocation List (CRL) and ignores other valid CRLs from the same Certificate Authority (CA). This flaw could allow an OPC UA client to maintain a connection with a server while using a revoked certificate.

Impact

This vulnerability could lead to a revoked certificate being incorrectly accepted, as subsequent valid CRLs might indicate the certificate's revocation. According to security requirements, connections must be terminated if a certificate is revoked.

Reproduction

The vulnerability can be reproduced by starting a push server and connecting two clients. After revoking the certificate of one client, the connection should be terminated. However, due to this vulnerability, the connection remains active.

Remediation

The issue has been fixed in the S2OPC library by updating the certificate revocation check to consider all valid CRLs associated with the same CA. Instructions for applying this fix can be found in the S2OPC GitLab repository.