Opto 22 PAC Control Basic

OOB[R] due to improper bounds checking


Opto 22


Opto 22 Pac Control Basic

Product Version


Vulnerability Details

Opto 22 PAC Control Basic software suite’s main application Control.basic.exe, contains a security related vulnerability that can lead to a potential information leak via an out of bounds read (oob[r]) access violation that occurs during parsing of a malicious idb strategy file.

Vendor Response

Vendor acknowledged the security issue and impact.

Disclosure Timeline

  • Contacted OPTO 22 and submitted initial securit issues to vendor.

  • Received Automatic response from OPTO 22
    Product Support Group (PSG).

  • Received email from OPTO 22 Representative explaining they were able to duplicate said issues

  • We offered to provide some further analysis; however, due to time constraints with other high
    priority clients, we were unable to assist further at the time.

  • We reached out to OPTO 22 again in December, to check on the status of the patching of security issues and they did not have any updates on when a fix would be produced.

  • We submitted a report with root cause analysis and technical details of the issues to OPTO 22. We also inquired about when a patch would be available.

  • OPTO 22 Responded stating that they plan to release the fixes within PAC 10.14; however, no date for that version release has been scheduled at that time.

  • OPTO 22 Responded to our request of further details of dates by stating they had a rough estimate of mid-year and if they received any newer information, they would email it to us.

  • We thanked OPTO 22 for their response and let them know we would reach out in June 2021 to check status.

  • After not receiving any new information about
    release schedule and further analysis of the
    product suite and industry that OPTO 22 operates
    within, we decided to move forward with public
    disclosure, 8 months is ample time for patching and remediation, and we feel the public needs to be aware of risks associated with software that operates within critical industries. We let OPTO 22 know that they would be releasing the vulnerability information public within 30 days.

  • OPTO 22 responded saying that a fix would be provided in the next PAC Project Version.

  • VerSprite submitted vulnerability details to MITRE to receive CVE ID.