Home | Research | Resources | Advisories | Opto 22 PAC Control Basic
OOB[R] due to improper bounds checking
CVE ID
CVE-2021-30495
VENDOR
Opto 22
PRODUCT
Opto 22 Pac Control Basic
Product version
R10.3003
Vulnerability Details
Opto 22 PAC Control Basic software suite’s main application Control.basic.exe
, contains a security related vulnerability that can lead to a potential information leak via an out of bounds read (oob[r]) access violation that occurs during parsing of a malicious idb
strategy file.
Learn More →
Vendor response
Vendor acknowledged the security issue and impact.
Disclosure timeline
07-06-2020 Contacted OPTO 22 and submitted initial security issues to vendor. 07-06-2020 Received Automatic response from OPTO 22 Product Support Group (PSG). 07–06-2020 Received email from OPTO 22 Representative explaining they were able to duplicate said issues 07–08-2020 We offered to provide some further analysis; however, due to time constraints with other high priority clients, we were unable to assist further at the time. 12–08-2020 We reached out to OPTO 22 again in December, to check on the status of the patching of security issues and they did not have any updates on when a fix would be produced. 01-20-2021 We submitted a report with root cause analysis and technical details of the issues to OPTO 22. We also inquired about when a patch would be available. 01-21-2021 OPTO 22 Responded stating that they plan to release the fixes within PAC 10.14; however, no date for that version release has been scheduled at that time. 01-22-2021 OPTO 22 Responded to our request of further details of dates by stating they had a rough estimate of mid-year and if they received any newer information, they would email it to us. 01-22-2021 We thanked OPTO 22 for their response and let them know we would reach out in June 2021 to check status. 03-26-2021 After not receiving any new information about release schedule and further analysis of the product suite and industry that OPTO 22 operates within, we decided to move forward with public disclosure, 8 months is ample time for patching and remediation, and we feel the public needs to be aware of risks associated with software that operates within critical industries. We let OPTO 22 know that they would be releasing the vulnerability information public within 30 days. 03-29-2021 OPTO 22 responded saying that a fix would be provided in the next PAC Project Version. 04-09-2021 VerSprite submitted vulnerability details to MITRE to receive CVE ID.