![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
OpenSSL Security Vulnerabilities and OPC UA
We want to make you aware of recent security vulnerabilities discovered in OpenSSL that impact TOP Server Version 5.18 and earlier.
If you are not currently using the TOP Server OPC UA Client driver or OPC UA Server interface, please disregard this article.
OpenSSL is an open source library used by many OPC UA applications to secure communications. TOP Server uses OpenSSL to secure communications with its OPC UA server and OPC UA Client driver. Vulnerabilities were recently discovered in OpenSSL that have the potential to impact these interfaces. By exploiting these vulnerabilities, a remote attacker could potentially cause TOP Server to crash or become unresponsive.
The following links document the vulnerabilities in OpenSSL that have the potential to impact all OPC UA applications:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1788
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1789
Both vulnerabilities relate to certificate validation in OpenSSL. If an attacker sends an OPC UA server a command with a specially-crafted certificate, OpenSSL will try and validate the certificate—in doing so, it will access invalid memory or process the certificate indefinitely. This can lead to an application crash or a denial of service.
The more accessible the OPC UA server is, the more vulnerable it is to this attack. For instance, if the OPC UA server is only available on the LAN or controls network, the exposure is limited. An attacker would need to penetrate this network and exploit the vulnerability from a compromised machine on the network. If the OPC UA server is accessible via the WAN, it is more susceptible to attack. Any machine that can access the OPC UA server on the network could exploit this vulnerability.
Because, by default, TOP Server only installs a Localhost UA endpoint, only applications running on the same machine as TOP Server could exploit this vulnerability, which is highly unlikely. Enabling a non-localhost endpoint makes a machine more susceptible, but again, it depends on how accessible the OPC UA server is on the network.
These issues will be addressed in TOP Server Version 5.19, which will be available in October 2015. If you feel that your use of the OPC UA server or OPC UA Client driver for TOP Server could be impacted by these vulnerabilities, please contact us right away and we will work with you to address it.
We apologize for any inconvenience this may cause.