CVE-2019-19135 in OPC UA .NET Standard
Summary
by MITRE
In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/17/2020
The vulnerability identified as CVE-2019-19135 affects the OPC Foundation OPC UA .NET Standard codebase version 1.4.357.28 and earlier, representing a critical weakness in the cryptographic randomness implementation within the OPC UA server framework. This flaw resides in the OPCFoundation.NetStandard.Opc.Ua library where the random number generation process fails to produce sufficiently unpredictable values, creating a significant security risk for industrial control systems that rely on OPC UA for communication. The issue specifically impacts the authentication and encryption mechanisms used by OPC UA servers, which are fundamental to protecting industrial IoT environments from unauthorized access and data compromise.
The technical root cause of this vulnerability stems from insufficient entropy in the random number generation algorithm used by the OPC UA server implementation. When servers generate cryptographic keys, session identifiers, or other security parameters, they depend on cryptographically secure random number generators to ensure unpredictability. In this case, the implementation produces predictable or weak random values that can be exploited by attackers. The vulnerability enables man-in-the-middle attacks where an adversary can intercept and reuse encrypted user credentials transmitted over the network, effectively bypassing authentication mechanisms and gaining unauthorized access to industrial control systems. This weakness directly violates the principles of cryptographic security and undermines the confidentiality and integrity guarantees that OPC UA is designed to provide.
The operational impact of CVE-2019-19135 extends beyond simple credential theft, as it compromises the fundamental security posture of industrial control systems that depend on OPC UA for communication between devices, operators, and supervisory systems. Attackers who successfully exploit this vulnerability can establish persistent access to critical infrastructure, potentially leading to operational disruption, data manipulation, or even physical system compromise. The vulnerability affects organizations across multiple industrial sectors including manufacturing, energy, and process control where OPC UA is widely deployed, creating widespread risk across critical infrastructure. This weakness particularly impacts the security of distributed control systems where authentication and encryption are essential for maintaining operational integrity and preventing unauthorized system access.
Organizations affected by this vulnerability should immediately update their OPC UA implementations to version 1.4.359.31 or later, which contains the necessary cryptographic randomness improvements. System administrators should also implement network monitoring to detect potential credential reuse attempts and establish additional authentication layers including multi-factor authentication where possible. Security teams should conduct comprehensive vulnerability assessments of all OPC UA implementations within their industrial control networks and review network traffic patterns for signs of man-in-the-middle activity. The vulnerability aligns with CWE-330 insufficient entropy and represents a significant concern under the ATT&CK framework's credential access and defense evasion tactics, as it enables attackers to maintain persistent access through credential reuse without detection. Organizations should also consider implementing network segmentation and encryption at multiple layers to provide defense-in-depth against similar cryptographic weaknesses that could compromise industrial control system security.