Description:

PTC has released security update to address a vulnerability in the following products:

• Kepware LinkMaster Version 3.0.94.0 and prior

Kepware KEPServerEX, a connectivity platform:

• KEPServerEX: v6.0 to v6.9
• ThingWorx Kepware Server: v6.8 and v6.9
• ThingWorx Industrial Connectivity: All versions
• OPC-Aggregator: All versions

The following products may have a vulnerable component:

• Rockwell Automation KEPServer Enterprise
• GE Digital Industrial Gateway Server: v7.68.804 and v7.66
• Software Toolbox TOP Server: All 6.x versions

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Denial of service attack (DoS)
• Buffer overflow
• Execute arbitrary code - remotely

Best practice and Recommendations:

The CERT team encourages users to review PTC security advisory and apply the necessary updates:

• Upgrade Kepware LinkMaster to Version 3.0.99
• KEPServerEX
  • Version 6.6 should upgrade to Version 6.6.362.0
  • Version 6.7 should upgrade to Version 6.7.1067.0
  • Version 6.8 should upgrade to Version 6.8.838.0
  • Version 6.9 should upgrade to Version 6.9.584.0
• ThingWorx Kepware Server
  • Version 6.8 should upgrade to Version 6.8.839.0
  • Version 6.9 should upgrade to Version 6.9.584.0
• ThingWorx Industrial Connectivity
  • Version 8.4 should upgrade to Version 8.4 (6.6.362.0)
  • Version 8.5 should upgrade to Version 8.4 (6.7.1068.0)
• OPC-Aggregator
  • Version 6.9 should upgrade to Version 6.9.584.0

PTC recommends that users of the following products upgrade to the most current supported version:

• Rockwell Automation KEPServer Enterprise
• GE Digital Industrial Gateway Server
  • Versions 7.68.804 and 7.66 should update to Version 7.68.839.0
• Software Toolbox TOP Server
  • Version 6.7 should upgrade to Version 6.7.1068.0
  • Version 6.8 should upgrade to Version 6.8.840.0
  • Version 6.9 should upgrade to Version 6.9.584.0