CVE-2023-26150: 
Python vulnerability analysis and mitigation

CVE-2023-26150 affects versions of the asyncua package before 0.9.96, exposing an Improper Authentication vulnerability. The issue allows unauthorized access to the OPC UA Address Space without requiring encryption and authentication. The vulnerability was discovered during PhD research experiments and was disclosed on June 9, 2023 (Snyk Security).

The vulnerability stems from missing security checks in the OPC UA implementation. In OPC UA, there are two security layers: the secure channel layer (handling encryption, signatures, and application authentication) and the session layer (handling user authentication and authorization). The vulnerability allows bypassing both security layers by sending a hello message, creating an unsecured channel, and establishing a session without activation. This enables unauthorized access to all services that should require an active authenticated session (GitHub Issue).

The vulnerability allows unauthorized users to access all data on the server if they know the IP address. Attackers can read and write nodes using regular Read and Write Requests without proper authentication, leading to potential data exposure and unauthorized modifications (Snyk Security).

The vulnerability was fixed in version 0.9.96 of the asyncua package. The fix implements proper session activation checks for all services that require an active session. Users should upgrade to version 0.9.96 or higher to mitigate this vulnerability (GitHub Release).