Since it is an issue of self-signed cert problem on mappView. OPC UA also can use self-signed cert too. Does it affect OPC UA? The CVE-2024-8603 does not exposed details. Is it on symmetric key part?
Hi,
CVE-2024-8603 names Automation Runtime and mappView as affected.
Because the OPC UA server also uses the Automation Runtime functions, AR automatic generated self-signed certificates for OPC UA are affected, too (sorry, I don’t know which parts in detail).
But, as descibed in CVE-2024-8603, it happens only if AR generates a certificate automatically at boot because of a missing certificate configuration inside the installed project.
So having a proper configured configuration including certificates inside the Automation Studio project (and of course installed in the PLC by project transfer) does not lead to the behavior described in CVE-2024-8603.
This is also valid when using self-signed certificates (but of course self-signed certificates have some common, well-known limitations in direction of authentication, independent of Automation Runtime or PLCs).
Best regards!
Thanks for the reply. Although it does not have details but if it just affect by auto-generated certificate I think most of PLCs are still relatively safe. With a score of 8.2 it is scary.