CVE-2020-27263: Buffer Overflow
First published: Wed Jan 13 2021(Updated: )
KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PTC Kepware KEPServerEX | ||
| Ptc Kepware Server | =6.8 and v6.9 | |
| PTC ThingWorx Industrial Connectivity | ||
| PTC OPC-Aggregator | ||
| PTC GE Digital Industrial Gateway Server | =7.66 | |
| PTC GE Digital Industrial Gateway Server | =7.68.804 | |
| Ptc Kepware Server | =6.0 | |
| Ptc Kepware Server | =6.9 | |
| PTC OPC-Aggregator | ||
| PTC ThingWorx Industrial Connectivity | ||
| Ptc Kepware Server | =6.8 | |
| Ptc Kepware Server | =6.9 | |
| PTC Rockwell Automation KEPServer Enterprise | =6.6.504.0 | |
| PTC Rockwell Automation KEPServer Enterprise | =6.9.572.0 | |
| PTC Software Toolbox TOP Server | >=6.0<=6.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-27263?
The severity of CVE-2020-27263 is critical with a CVSS score of 9.1.
Which software versions are affected by CVE-2020-27263?
CVE-2020-27263 affects KEPServerEX versions 6.0 to 6.9, ThingWorx Kepware Server versions 6.8 and 6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server versions 7.68.804 and 7.66, and Software Toolbox TOP Server versions 6.x.
What is the Common Weakness Enumeration (CWE) ID for CVE-2020-27263?
The Common Weakness Enumeration (CWE) ID for CVE-2020-27263 is CWE-119, CWE-787, and CWE-122.
Where can I find more information about CVE-2020-27263?
You can find more information about CVE-2020-27263 on the US-CERT website at https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02.
How do I mitigate CVE-2020-27263?
To mitigate CVE-2020-27263, it is recommended to update to the latest patched version provided by the respective software vendors.
- agent/type
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/severity
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/ptc
- canonical/ptc kepware kepserverex
- canonical/ptc kepware server
- version/ptc kepware server/6.8 and v6.9
- canonical/ptc thingworx industrial connectivity
- canonical/ptc opc-aggregator
- vendor/ge
- canonical/ptc ge digital industrial gateway server
- version/ptc ge digital industrial gateway server/7.66
- version/ptc ge digital industrial gateway server/7.68.804
- version/ptc kepware server/6.0
- version/ptc kepware server/6.9
- version/ptc kepware server/6.8
- vendor/rockwellautomation
- canonical/ptc rockwell automation kepserver enterprise
- version/ptc rockwell automation kepserver enterprise/6.6.504.0
- version/ptc rockwell automation kepserver enterprise/6.9.572.0
- vendor/softwaretoolbox
- canonical/ptc software toolbox top server
- version/ptc software toolbox top server/6.0
- version/ptc software toolbox top server/6.9