Vulnerabilities > CVE-2020-27267 - Out-of-bounds Write vulnerability in multiple products

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

NVD

Published: 2021-01-14

Updated: 2021-01-21

Summary

KEPServerEX v6.0 to v6.9, ThingWorx Kepware Server v6.8 and v6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server v7.68.804 and v7.66, and Software Toolbox TOP Server all 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data.

Vulnerable Configurations

Part	Description	Count
Application	Ge GE Industrial Gateway Server 7.66 GE Industrial Gateway Server 7.68.804	2
Application	Ptc PTC Kepware Kepserverex 6.0 PTC Kepware Kepserverex 6.9 PTC OPC Aggregator - PTC Thingworx Industrial Connectivity - PTC Thingworx Kepware Server 6.8 PTC Thingworx Kepware Server 6.9	6
Application	Rockwellautomation Rockwellautomation Kepserver Enterprise 6.6.504.0 Rockwellautomation Kepserver Enterprise 6.9.572.0	2
Application	Softwaretoolbox Softwaretoolbox TOP Server *	1

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

References

https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02