| View previous topic :: View next topic |
| Author |
Message |
Jim Luth
Joined: 18 Feb 2003
Posts: 168
Location: OPC Foundation
|
 Posted: Wed Feb 28, 2007 5:09 pm Post subject: CERT security vulnerability reports |
 |
|
| I have seen some CERT security vulnerability notices for some OPC products. Is there a security flaw in the OPC interface? Do all OPC products have these vulnerabilities? |
|
| Back to top |
|
 |
Jim Luth
Joined: 18 Feb 2003
Posts: 168
Location: OPC Foundation
|
| Posted: Wed Feb 28, 2007 5:10 pm Post subject: |
|
|
Since the purpose of the OPC interface is to provide a well known standard way for software products from multiple vendors to communicate, the existence of such interfaces will always provide a possible attack surface for malicious applications to exploit. The vulnerabilities that have been reported by CERT[1] and others are for particular OPC implementations in vendor products and do not indicate any weakness in the design of the OPC interfaces themselves. In fact using one such vulnerability testing tool, the majority of OPC products tested passed[2]. It is also important to note that for such an attack to happen, the DCOM security would have to have been somehow breached (or have been misconfigured, i.e. turned off).
The OPC Foundation urges all OPC vendors to follow secure coding practices and be vigilant in testing their OPC implementations for security vulnerabilities.
[1] http://www.neutralbit.com/en/press/news/17/
[2] http://www.digitalbond.com/index.php/2007/01/29/s4-day-two-in-review/ |
|
| Back to top |
|
|
|
