OPC UA Manger's Attack Exploit
We were brought into attention of a known security vulnerability, called Manger's Attack, that concerns all OPC UA server applications built with Prosys OPC UA SDK for Java. It is related to the Bouncy Castle library that the SDK uses for it's security implementation by default.
The problem affects Bouncy Castle version 1.60 and earlier as described in the following discussion.
"If an adversary can iteratively submit a few thousands messages for decryption and detect the exception or the faster execution, s/he can decipher a ciphertext, or make a signature. The private key itself does not leak."
In context of OPC UA communication, it concerns the used implementation of RSA OAEP during the creation of a Secure Channel (that is during the connection handshake) and thus all of the recommended security policies. With the help of Manger's Attack an attacker can compromise the encryption between the client and server.
Prosys OPC UA products affected
The vulnerability affects directly:
- All applications built with Prosys OPC UA SDK for Java 4.1.2 and earlier that are using Bouncy Castle version 1.60 or earlier
- Prosys OPC UA Simulation Server 4.0.0 and earlier
- Prosys OPC UA Modbus Server 1.3.2 and earlier
- Prosys OPC UA Historian 1.0.0
Fixed products
The issue has been fixed in
- Prosys OPC UA Simulation Server 4.0.2
- Prosys OPC UA Modbus Server 1.3.4
It will also be fixed in Prosys OPC UA SDK for Java and Prosys OPC UA Historian in their next release.
For fixing the issue in the SDK yourself, see below.
If you are concerned about the issue in Prosys OPC UA products, but cannot update them, you will need to replace the existing Bouncy Castle libraries in the installation folder with the latest Bouncy Castle version targeting 'JDK 1.5-1.8'. Note that you will also need to rename them similar to the existing libraries.
Fixing projects built with Prosys OPC UA SDK for Java
Bouncy Castle implementations have fixed the issue and we recommend all users of Prosys OPC UA SDK for Java to update their applications to always use the latest Bouncy Castle version. The current version at the time of this writing is 1.64 and there are now two variants of the library. One labelled for 'JDK 1.5-1.8', which is in practice without Java 9 module info (but which you can use in Java 9+ as well with class path, instead of module path) and one labelled for 'JDK 1.5 onwards' with Java 9 module info.
If you have used the Maven integration provided by the OPC UA SDK, you can use one of the following to define the dependency to Bouncy Castle version 1.64:
a) with Java 9 module info (retains the artifactId 'bcpkix-jdk15on')
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.64</version>
</dependency>
b) without Java 9 module info (new artifactId 'bcpkix-jdk15to18')
<dependency>
<!--
Remove the old dependencies to '*-jdk15on'
coming from the OPC UA SDK first.
Verify that artifactId and version match to yours.
-->
<groupId>com.prosysopc.ua</groupId>
<artifactId>prosys-opc-ua-sdk-client-server</artifactId>
<version>4.1.2-876</version>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15to18</artifactId>
<version>1.64</version>
</dependency>
See also: Bouncy Castle release notes, which don't actually mention this fix.
Android applications
The SDK is not using Bouncy Castle in Android. Instead, it looks for Spongy Castle, which is a special build of Bouncy Castle for Android. Unfortunately, Spongy Castle is not getting new updates any more, so we cannot provide an update to that either, although it would be required to fix this issue.
On the other hand, we analyzed that the problem concerns mainly server applications and since Android applications are typically client applications, they should not be affected.
There is also interesting discussion about the future of Spongy Castle that gives hints how to use Bouncy Castle in Android as well.
More security information
You will find the currently announced security issues in Prosys OPC products from the blog under the Security tag.
You might also like to read about the OPC UA Security Process of the OPC Foundation.
Jouni Aro
Chief Technology Officer
Email: jouni.aro@prosysopc.com