![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
Cybersecurity & Infrastructure Security Agency (CISA) Reports Vulnerabilities in TOP Server OPC UA server interface for all Releases Prior to V6.12.325.0
The Cybersecurity & Infrastructure Security Agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has identified a vulnerability in the OPC UA server interface for TOP Server/KEPServerEX V5.2.133.0-V6.11.764.0
Reference IDs
CISA: ICSA-22-242-10
NIST: CVE-2022-2825, CVE-2022-3848
CISA: ICSA-22-242-10
NIST: CVE-2022-2825, CVE-2022-3848
As of 23 June 2022, TOP Server / KEPServerEX V6.12.325.0 is available to resolve this vulnerability in the OPC UA server interface. This FAQ provides information on how to obtain the update.
This vulnerability does NOT affect the OPC UA Client driver - only the OPC UA Server interface is affected.
Full details of the vulnerability are available on the CISA website for Advisory # ICSA-22-242-10 - please keep reading for specific details on mitigating this vulnerability for your TOP Server installations.
The CISA advisory primarily references KEPServerEX at the beginning - TOP Server is a branded version of KEPServerEX, so all information discussed pertaining to KEPServerEX will also apply to TOP Server, which is explicitly referenced in the "Affected Products" section 3.1.
What TOP Server users are at risk?
It is important to understand that this vulnerability only affects users of TOP Server V6.11.764.0 or previous who meet the following conditions:
- Have the OPC UA interface enabled (whether they're actively using it or not). If NOT using OPC UA, you should keep the OPC UA server interface disabled until you can upgrade to the latest version. The OPC UA interface is disabled by default (for details on how to enable/disable the OPC UA server interface, click here).
- Have an OPC UA endpoint configured and enabled that is accessible externally to the local network. By default, only a local-only endpoint is enabled in the UA Configuration Manager.
If neither of these conditions are true, the TOP Server installation should not be affected by this vulnerability. If the user changes ANY of the conditions, this statement is invalidated. Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices. In absence of having company standards, users should consider US NIST guidelines.
If the conditions above are true, and the server is behind a secure firewall without any allowed access to the TOP Server OPC UA interface to individuals outside the company network, the attack surface is reduced but not to zero. The remaining vulnerability is from users who have physical access to the company's computers or networks. Each customer company must assess their security risk and stance and must involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed. In absence of having company standards, users should consider US NIST guidelines.
What will happen if your TOP Server is attacked?
For the affected versions, if a malicious actor gains access to your TOP Server application and performs a successful attack, you may experience a crash of TOP Server and/or leaked data. The following is the range of possible potential impacts:
- Loss of ability to configure the application
- Loss of data
- Loss of data acquisition
- Loss of control of systems
- Leaked process data
Your industrial control system may continue to run, and the system should be designed to fail safely at a minimum. If it is not, actions may need to be taken to safely continue or to shut the system down as appropriate for the specific system. From a practical perspective, if your TOP Server and client applications are behind a secure firewall with no outside access, the risk of this vulnerability being exploited may be lower.
HOWEVER, each customer company must assess their security risk and stance and should involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed. For general recommendations and best practices for mitigating vulnerabilities and ensuring your TOP Server installations are as secure as possible, please request your free copy of the TOP Server Secure Deployment Considerations Guide.
TOP Server Update Available
Software Toolbox has made available the latest TOP Server release that addresses these issues that is available for download from the following link - your existing TOP Server configuration project is fully compatible with this updated version. Please verify your current support/maintenance status in the TOP Server License Utility prior to downloading and installing one of these updated versions to confirm eligibility (keep reading below for next steps in situations where your "Support End Date" is in the past).
It is also strongly recommended that you save a copy of your TOP Server configuration project as a backup prior updating (See this FAQ for information about automatic project backups - as a fail-safe, you can also go to File -> Save As in your TOP Server Configuration).
Next Steps
Scenarios for updating your TOP Server will depend on the current state of the support/maintenance agreement for your licenses on the TOP Server machine. To confirm your support/maintenance status, launch the TOP Server License Utility (either from the Start Menu or the TOP Server Admin system tray icon) and confirm the "Support End Date" listed for your licenses.
For users with licenses covered by a current support/maintenance agreement (i.e. a "Support End Date" with a value in the future):
- You are eligible for any version up to and including the current version. (V5.x users covered by a current support/maintenance agreement will need to request a V6.x upgrade license prior to upgrading - click here for instructions on upgrading from TOP Server V5.x to V6.x)
- It is recommended to download V6.12.325.0 (or the current version, if a newer version is available since the posting of this alert) and upgrade your TOP Server installation as soon as practically possible, following your company's change management practices. Running the latest version is always recommended wherever possible.
For users with licenses NOT covered by a current support/maintenance agreement (i.e. a "Support End Date" with a value in the past):
- Please contact us for a quotation to reinstate your support/maintenance agreement. This will allow you to download V6.12.325.0 (or the current version, if newer) and upgrade your TOP Server installation as soon as practically possible, following your company's change management practices. Please include your serial number or activation ID or any other information that will help us with your request.
If you have any further questions regarding this bulletin, please submit a support request.