CVE-2022-1748 : Security Advisory and Response

Softing Secure Integration Server NULL Pointer Dereference

Understanding CVE-2022-1748

Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.

What is CVE-2022-1748?

The CVE-2022-1748 vulnerability affects multiple Softing products, leading to a NULL pointer dereference vulnerability.

The Impact of CVE-2022-1748

The vulnerability poses a HIGH impact on availability, with a CVSS base score of 7.5 (HIGH). It can be exploited over a network without requiring privileges, potentially causing service disruption.

Technical Details of CVE-2022-1748

Vulnerability Description

The vulnerability stems from a NULL pointer dereference issue present in various Softing products, making them susceptible to crashes or denial of service.

Affected Systems and Versions

Products impacted include Secure Integration Server (V1.22), OPC UA C++ SDK (V6.00), edgeConnector Siemens (V3.10), edgeConnector 840D (V3.10), edgeConnector Modbus (V3.10), and edgeAggregator (V3.10).

Exploitation Mechanism

The vulnerability can be exploited remotely through a network connection without the need for user interaction, potentially leading to service unavailability.

Mitigation and Prevention

Immediate Steps to Take

Softing has released new versions to address the vulnerabilities, including Secure Integration Server V1.30. Users are urged to update to the latest versions available on the Softing website.

Long-Term Security Practices

For enhanced security, it is recommended to change default admin passwords, configure firewalls to block specific network requests, and disable unnecessary services like HTTP in the affected Softing products.

Patching and Updates

Users should regularly check for security updates from Softing and implement them promptly to prevent exploitation of known vulnerabilities.