CVE ID

CVE-2021-30495

VENDOR

Opto 22

PRODUCT

Opto 22 Pac Control Basic

Product version

R10.3003

Vendor response

Vendor acknowledged the security issue and impact.

Disclosure timeline

07-06-2020  Contacted OPTO 22 and submitted initial security
                                issues to vendor.
07-06-2020  Received Automatic response from OPTO 22
                           Product Support Group (PSG).
07–06-2020  Received email from OPTO 22 Representative 
                           explaining they were able to duplicate said issues
07–08-2020  We offered to provide some further analysis;
                              however, due to time constraints with other high
                           priority clients, we were unable to assist further at
                              the time.
12–08-2020    We reached out to OPTO 22 again in December, to
                              check on the status of the patching of security 
                                issues and they did not have any updates on when
                                a fix would be produced.
01-20-2021     We submitted a report with root cause analysis and
                                technical details of the issues to OPTO 22. We also
                                inquired about when a patch would be available. 
01-21-2021      OPTO 22 Responded stating that they plan to
                           release the fixes within PAC 10.14; however, no date
                           for that version release has been scheduled at that
                           time.
01-22-2021     OPTO 22 Responded to our request of further details
                                of dates by stating they had a rough estimate of
                                mid-year and if they received any newer 
                                information, they would email it to us.
01-22-2021     We thanked OPTO 22 for their response and let them
                                know we would reach out in June 2021 to check 
                                status.
03-26-2021    After not receiving any new information about 
                                release schedule and further analysis of the
                              product suite and industry that OPTO 22 operates
                              within, we decided to move forward with public
                                disclosure, 8 months is ample time for patching
                              and remediation, and we feel the public needs to
                                be aware of risks associated with software that
                                operates within critical industries. We let OPTO 22
                              know that they would be releasing the vulnerability
                              information public within 30 days.  
03-29-2021    OPTO 22 responded saying that a fix would be
                                provided in the next PAC Project Version. 
04-09-2021    VerSprite submitted vulnerability details to MITRE
                            to receive CVE ID.