![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
ICSA-23-334-03, CVE-2023-5908 & 5909 Vulnerability Report regarding KEPServer-EX and TOP Server 6.0 to 6.14, Resolved in 6.15
ICSA-23-334-03 (CVE-2023-5908 and 5909) reports vulnerabilities in TOP Server and KEPServerEX 6.0 to 6.14. What are the options for resolution and mitigation.
ICSA-23-334-03 affects TOP Server and KEPServerEX, versions 6.0 to 6.14.263.0 for users that use the OPC UA Server interface.
Mitigation:
If you do not have the OPC UA server interface enabled then you are not vulnerable. If you have the OPC UA Server interface and have it secured as recommended in the Secure Deployment Guide your risks are significantly reduced. Each user should evaluate their own risk position based on these facts and consult with our support if there are questions.
If you use the OPC UA server interface, it is recommended to upgrade to TOP Server 6.15 or higher (or KEPServerEX 6.15 or higher), and also follow our secure deployment recommendations regardless.
Users on active support & maintenance agreements can download and upgrade. Others may request a quote to reinstate support/upgrade.
Whether running version 6.15 or higher or not, users are strongly recommended to follow the controls in the free Secure Deployment Guide, including:
- Always running a secure connection to TOP Server. Do not run with security of anonymous and none.
- Know the OPC UA Clients you choose to trust the certificates of: An administrator must accept the SSL certificate of any client, and you should only accept certificates from known trusted OPC UA client applications
- Utilizing authentication where your OPC UA clients support it
- Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices. In absence of having company standards, users should consider US NIST guidelines.
- See also CISA recommended measures in general for ICS networks found in ICSA-23-334-03 and in CISA control systems security recommended best practices
If you have questions about this FAQ and notice, please click Ask a Question and an appropriate member of our team will get back to you. Note that only certain staff with appropriate skills or training are authorized to answer some security questions, so our normal 2 business hour response may not be possible, though we will let you know that we are escalating your question within our normal 2 business hour response window in our time zone.