Frequently Asked Questions

August 29, 2023   

1. What is the CVE associated with this vulnerability?
This vulnerability has been assigned CVE-2023-1967 

2. Where can I find the impacted products?
Keysight impacted products: Security Advisory CVE-2023-1967 Product Lookup Tool

3. What is the CVSS vector string for this vulnerability?
CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical

4. What if I do not use the impacted software anymore?
Some of the vulnerable software may start when Windows boots. If there is no plan to update the vulnerable software, it is recommended to uninstall the software.

5. Do I need to manually run the software to expose the vulnerability?
If the software is run manually, it may expose the vulnerability however some of the impacted software may run as a service and may start automatically and expose the vulnerability.

6. How did Keysight become aware of the vulnerability?
Keysight was notified of the presence of the vulnerability by CISA, through the Vulnerability Information and Coordination Environment (VINCE) platform hosted by CERT/CC

7. What is the best way to protect against this vulnerability?
We recommend that you always run the latest version of Keysight software.

8. What should I do if I cannot upgrade my software?
You can reduce your risk using industry standard security practices:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

9. What should I do if I cannot upgrade my software and cannot remove the device from the network?
Successful exploitation of this vulnerability could lead to remote code execution. If you cannot upgrade your software or remove the device from your network, you should work with your organization’s IT department to conduct an impact analysis, risk assessment, and determine appropriate defensive measures. Please contact Keysight for additional technical guidance.

10. Is there a cost to remediate my products?
You may download and install a software update to remediate CVE-2023-1967 at no cost if you are a licensed user of current versions of supported models by using the Product Look Up Tool. If you would like Keysight to perform the software update(s) for you, fees may apply. Please contact Keysightfor a quote.

11. What else can I do to protect my Keysight products from security threats?
Keysight recommends that you keep your operating system and other software up to date. Keysight also recommends that you follow industry guidelines to protect your computers and data.

For additional questions, please contact Keysight.

Keysight used commercially reasonable efforts to compile the list of products affected by this vulnerability and the responses to these frequently asked questions. Keysight offers this information for your convenience and does not warrant it is complete.