CVE-2024-42512

CVE-2024-42512 is a vulnerability in the OPC UA .NET Standard Stack prior to version 1.5.374.158. It allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled. The issue is classified under CWE-208 (Observable Timing Discrepancy) and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and potential for significant confidentiality impact.

The vulnerability can be exploited by any unauthorized attacker with network access to the affected component, requiring low attack complexity and no privileges, user interaction, or special conditions beyond the Basic128Rsa15 policy being enabled. Successful exploitation enables authentication bypass, granting unauthorized access that could result in high confidentiality loss, such as exposure of sensitive data, alongside low impacts to integrity and availability.

Mitigation details are provided in the OPC Foundation Security Bulletin available at https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42512.pdf, published on 2025-02-10.