![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
National Institute of Standards and Technology (NIST) Reports Vulnerability in Components used in OmniServer OPC UA server interface
The National Institute of Standards and Technology (NIST) has identified a vulnerabilities discovered in external libraries used in the OPC UA server interface for OmniServer V2.7.0.19 to V3.2.0.12. How does this affect me?
Reference IDs
NIST NVD (NIST Vulnerability Database): CVE-2021-45117, CVE-2021-3541
As of 21 March 2022, OmniServer V3.2.0.13 and newer is available to resolve these vulnerabilities in the OPC UA server interface.
Full details are available in the NIST NVD entries available here:
What OmniServer users are at risk?
It is important to understand that these vulnerability only affect OmniServer users who meet the following conditions:
- Are using a version of OmniServer newer than V2.7.0.18 and older than V3.2.0.13. OmniServer V2.7.0.18 and previous are NOT affected
- Have an OPC UA client connecting to an OmniServer OPC UA endpoint configured and enabled that is accessible externally to the local network and has Security set to None.
If your OmniServer OPC UA server endpoints are either local only or are using any Security mode higher than None, the OmniServer installation should not be affected by this vulnerability. If the user changes ANY of the conditions, this statement is invalidated. Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices. In absence of having company standards, users should consider US NIST guidelines.
If the conditions above are true, and the server is behind a secure firewall without any allowed access to the OmniServer OPC UA interface to individuals outside the company network, the attack surface is reduced but not to zero. The remaining vulnerability is from users who have physical access to the company's computers or networks. Each customer company must assess their security risk and stance and must involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed. In absence of having company standards, users should consider US NIST guidelines.
What will happen if your OmniServer is attacked?
For the affected versions, if a malicious actor gains access to your OmniServer application and performs a successful attack, you may experience a crash of OmniServer. The following is the range of possible potential impacts:
- Loss of ability to configure the application
- Loss of data
- Loss of data acquisition
- Loss of control of systems
Your industrial control system may continue to run, and the system should be designed to fail safely at a minimum. If it is not, actions may need to be taken to safely continue or to shut the system down as appropriate for the specific system. From a practical perspective, if your OmniServer and client applications are behind a secure firewall with no outside access, the risk of this vulnerability being exploited may be lower.
HOWEVER, each customer company must assess their security risk and stance and should involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed.
OmniServer Update Available
Software Toolbox has made available updates to the following set of more recent versions to address this issue that are available for download from the following links - your existing OmniServer configuration and protocols are fully compatible with this updated version. Please verify your current support/maintenance status in the OmniServer (Help -> About) prior to downloading and installing this updated version to confirm eligibility (keep reading below for next steps in situations where your support/maintenance period has expired).
It is also strongly recommended that you save a copy of your OmniServer configuration and protocols as a backup prior updating (See our FAQ for information about backing up and moving OmniServer configurations/protocols).
Next Steps
Scenarios for updating your OmniServer will depend on the current state of the support/maintenance agreement for your license on the OmniServer machine. To confirm your support/maintenance status, launch the OmniServer Configuration (either from the Start Menu or the OmniServer system tray icon) and confirm the support/maintenance expiration listed for your license.
For users with licenses covered by a current support/maintenance agreement:
- You are eligible for any version up to and including the current version.
- It is recommended to download V3.2.0.13 and upgrade your OmniServer installation as soon as practically possible, following your company's change management practices. Running the latest version is always recommended wherever possible.
For users with licenses NOT covered by a current support/maintenance agreement:
- Please contact us for a quotation to reinstate your support/maintenance agreement. This will allow you to download V3.2.0.13 and upgrade your OmniServer installation as soon as practically possible, following your company's change management practices. Please include your serial number or any other information that will help us with your request.
If you have any further questions regarding this bulletin, please submit a support request.