{ "document": { "category": "opc_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "publisher": { "category": "vendor", "name": "OPC Foundation", "namespace": "https://opcfoundation.org/security/csaf" }, "references": [ { "summary": "Advisory Source", "url": "https://github.com/OPCFoundation/OPC-SecurityAdvisories/tree/latest/csaf/2025/001" } ], "title": "Security Update for the OPC UA .NET Standard Stack", "tracking": { "current_release_date": "2025-02-01T00:00:00Z", "id": "OPC-2025-02-01-001", "initial_release_date": "2025-02-01T00:00:00Z", "revision_history": [ { "date": "2025-02-01T00:00:00Z", "number": "1.0.0", "summary": "Advisory published" } ], "status": "final", "version": "1.0.0" }, "notes": [ { "category": "legal_disclaimer", "text": "The information provided in this disclosure is provided 'as is' without warranty of any kind. OPC Foundation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall OPC Foundation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if OPC Foundation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply" } ] }, "product_tree": { "branches": [ { "category": "product_name", "name": "OPC UA .NET Standard Stack", "product": { "name": "OPC UA .NET Standard Stack <1.5.374.11", "product_id": "CSAFPID-01" } } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Rikard Hansson" ], "organization": "ABB", "summary": "discovering the issue." } ], "cwe": { "id": "CWE-404", "name": "Improper Resource Shutdown or Release" }, "discovery_date": "2025-02-01T00:00:00Z", "ids": [ { "system_name": "GCVE", "text": "GCVE-105-2025-001" } ], "involvements": [ { "party": "vendor", "status": "completed" } ], "notes": [ { "category": "summary", "text": "An unauthorized attacker can consume all available connections by exploiting improper resource shutdown." } ], "remediations": [ { "category": "vendor_fix", "details": "Update to OPC UA .NET Standard Stack version 1.5.374.118 or later.", "product_ids": [ "CSAFPID-01" ], "url": "https://github.com/OPCFoundation/UA-.NETStandard/releases/tag/1.5.374.118" }, { "category": "workaround", "details": "Do not use sign-only; always enable encryption.", "product_ids": [ "CSAFPID-01" ] }, { "category": "mitigation", "details": "The attacker has to have the ability to spoof IP packets and needs access to the private key of the client.", "product_ids": [ "CSAFPID-01" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CSAFPID-01" ] } ], "threats": [ { "category": "impact", "details": "Denial of service via resource exhaustion." } ], "title": "Connection exhaustion via improper shutdown in OPC UA .NET Standard Stack" } ] }