Skip to content
Ask A Question
  • There are no suggestions because the search field is empty.

Cybersecurity & Infrastructure Security Agency (CISA) Reports Vulnerability in TOP Server OPC UA server interface for all V6.x Releases

The CISA Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has identified a vulnerability in the OPC UA server interface for TOP Server V6.0.2107.0 through V6.9.572.0. How does this affect me? Are patches available?

Reference IDs

CISA: ICSA-20-352-02
NIST: CVE-2020-27263, CVE-2020-27265, CVE-2020-27267
As of 17 December 2020, TOP Server V6.9.584.0 and newer, as well as updated versions V6.8.840.0 and V6.7.1068.0, are available to resolve this vulnerability in the OPC UA server interface.
 
Full details are available on the CISA website for Advisory # ICSA-20-352-02.

What TOP Server users are at risk?

It is important to understand that this vulnerability only affects TOP Server V6.x users who meet the following conditions: (V5.x and V4.x versions are NOT affected)
  • Have the OPC UA interface enabled (whether they're actively using it or not). If NOT using OPC UA, you should keep the OPC UA server interface disabled until you can apply the patch provided. The OPC UA interface is disabled by default (for details on how to enable/disable the OPC UA server interface, click here).
  • Have an OPC UA endpoint configured and enabled that is accessible externally to the local network. By default, only a local-only endpoint is enabled in the UA Configuration Manager.
If neither of these conditions are true, the TOP Server installation should not be affected by this vulnerability. If the user changes ANY of the conditions, this statement is invalidated. Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices. In absence of having company standards, users should consider US NIST guidelines.
If the conditions above are true, and the server is behind a secure firewall without any allowed access to the TOP Server OPC UA interface to individuals outside the company network, the attack surface is reduced but not to zero. The remaining vulnerability is from users who have physical access to the company's computers or networks. Each customer company must assess their security risk and stance and must involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed. In absence of having company standards, users should consider US NIST guidelines.

What will happen if your TOP Server is attacked?

For the affected versions, if a malicious actor gains access to your TOP Server application and performs a successful attack, you may experience a crash of TOP Server. The following is the range of possible potential impacts:
  • Loss of ability to configure the application
  • Loss of data 
  • Loss of data acquisition 
  • Loss of control of systems 
Your industrial control system may continue to run, and the system should be designed to fail safely at a minimum. If it is not, actions may need to be taken to safely continue or to shut the system down as appropriate for the specific system. From a practical perspective, if your TOP Server and client applications are behind a secure firewall with no outside access, the risk of this vulnerability being exploited may be lower.
HOWEVER, each customer company must assess their security risk and stance and should involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed. For general recommendations and best practices for mitigating vulnerabilities and ensuring your TOP Server installations are as secure as possible, please request your free copy of the TOP Server Secure Deployment Considerations Guide.

TOP Server Patches Available

Software Toolbox has made available updates to the following set of more recent versions to address this issue that are available for download from the following links - your existing TOP Server configuration project is fully compatible with these updated versions. Please verify your current support/maintenance status in the TOP Server License Utility prior to downloading and installing one of these updated versions to confirm eligibility (keep reading below for next steps in situations where your "Support End Date" is in the past).
It is also strongly recommended that you save a copy of your TOP Server configuration project as a backup prior updating (See FAQ 3772 for information about automatic project backups - as a failsafe, you can also go to File -> Save As in your TOP Server Configuration).

Next Steps

Scenarios for updating your TOP Server will depend on the current state of the support/maintenance agreement for your licenses on the TOP Server machine. To confirm your support/maintenance status, launch the TOP Server License Utility (either from the Start Menu or the TOP Server Admin system tray icon) and confirm the "Support End Date" listed for your licenses.

For users with licenses covered by a current support/maintenance agreement (i.e. a "Support End Date" with a value in the future):

  1. You are eligible for any version up to and including the current version.
  2. It is recommended to download V6.9.584.0 (or one of the other the corresponding updated versions) and upgrade your TOP Server installation as soon as practically possible, following your company's change management practices. Running the latest version is always recommended wherever possible.

For users with licenses NOT covered by a current support/maintenance agreement (i.e. a "Support End Date" with a value in the past):

  1. If you are currently running V6.7 - V6.9, it is recommended to download the updated build corresponding to your current version and update your TOP Server installation as soon as practically possible, following your company's change management practices.
    1. For example, if you're currently running V6.7.1046.0 or V6.7.1054.0, you're eligible to update to V6.7.1068.0 only
  2. If you are currently running V6.6.350.0 or previous, please contact us for a quotation to reinstate your support/maintenance agreement. This will allow you to download V6.9.584.0 and upgrade your TOP Server installation as soon as practically possible, following your company's change management practices. Please include your serial number or activation ID or any other information that will help us with your request.
If you have any further questions regarding this bulletin, please submit a support request.