![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
ICSA-23-208-02, CVE-2023-3825 Vulnerability Report regarding KEPServer-EX and TOP Server 6.0 to 6.14, Resolved in 6.15
In ICSA-23-208-02 (CVE-2023-3825) there are reports of an OPC UA Server stack vulnerability for KEPServerEX. Does this also affect TOP Server and what are the options for mitigation?
ICSA-23-208-02 affects TOP Server and KEPServerEX, versions 6.0 to 6.14.263.0 for the OPC UA Server interface specifically. This vulnerability does NOT affect the OPC UA Client driver - only the OPC UA Server interface is affected. This issue has been resolved in Version 6.15 of the TOP Server and KEPServerEX. Users on active support & maintenance agreements can download and upgrade. Others may request a quote to reinstate support/upgrade.
What TOP Server users are at risk?
It is important to understand this vulnerability only affects users of TOP Server who meet the following condition:
Have the OPC UA interface enabled (whether they're actively using it or not), and are allowing anonymous and none for security, which is inconsistent with the recommendations in the Secure Deployment Guide.
- If NOT using OPC UA, you should keep the OPC UA server interface disabled until you can upgrade to the latest version.
- The OPC UA interface is disabled by default upon installation (for details on how to enable/disable the OPC UA server interface, click here).
If this condition is not true, the TOP Server installation should not be affected by this vulnerability. Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices. In absence of having company standards, users should consider US NIST guidelines.
Details:
- The attack vector leveraged during the event involved the creation of an unauthenticated bad-acting OPC UA Client
- Standard controls available in the product and outlined in the Secure Deployment guide are sufficient to mitigate this vulnerability
- For more details see ICSA-23-208-02
- This issue has been resolved in Version 6.15 of the TOP Server and KEPServerEX
- Note that as of date of publishing this notice, we have no indication nor have been made aware that this vulnerability has or is being exploited
Mitigation:
Whether running version 6.15 or higher or not, users are strongly recommended to follow the controls in the free Secure Deployment Guide, including:
- Always running a secure connection to TOP Server. Do not run with security of anonymous and none.
- Know the OPC UA Clients you choose to trust the certificates of: An administrator must accept the SSL certificate of any client, and you should only accept certificates from known trusted OPC UA client applications
- Utilizing authentication where your OPC UA clients support it
- Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices. In absence of having company standards, users should consider US NIST guidelines.
If you have questions about this FAQ and notice, please submit a support request and an appropriate member of our team will get back to you. Note that only certain staff with appropriate skills or training are authorized to answer some security questions, so our normal 2 business hour response may not be possible, though we will let you know that we are escalating your question within our normal 2 business hour response window in our time zone.