New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of Service #1013
Comments
Thank you @artfire52 For reference this is CVE-2022-25304 and GHSA-mfpj-3qhm-976m GitHub already raised an alert in our sample server implementation. |
Actually for this denial of service only one message is required, it is not exploiting sending several chunks without the final one. For the example, one opensecure channel request with a null size in the field size of OPC UA Connection Protocol Message header is sufficient to perform a denial of service. Sending a hello message is not required for instance. |
This comment was marked as outdated.
This comment was marked as outdated.
@GoetzGoerisch , @schroeder- commented on #1023 that this vulnerability is not CVE-2022-25304. Hence the #1039 does not fix that vulnerability. |
Closed via #1039 |
The bug
It is possible to create a denial of service by sending a malformed packet. The server will be trap in an infinite loop and consume lot of memory. I create an issue instead of sending mail following instruction from How to report a security issue? #902
Reproduce
To reproduce the denial of service, you have to send a packet with a null size.
Explanation
The function
data_received
in file binary_server_asyncio.py (opcua-asyncio/asyncua/server/binary_server_asyncio.py) continue to work on the same buffer.The value of
(header.header_size + header.body_size)
is equal to zero. In the functionheader_from_binary
in (opcua-asyncio/asyncua/ua/ua_binary.py), the bod_size is equal to zero at the beginning (due to our malformed packet). At the endhdr.header_size
is equal to 12 andhdr.body_size
is equal to -12.So in the function
data_received
, the buffer is never updated, then we are trapped in an infinite loop.Version
Python-Version:Python 3.8.10
opcua-asyncio Version (e.g. master branch, 0.9):
branch master, commit 54e54fa (last commit 29/08/2022)
The text was updated successfully, but these errors were encountered: