Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

AVEVA merged with Schneider Electric earlier this year and took over the France-based industrial giant’s Avantis and Wonderware brands. The Wonderware portfolio includes the InduSoft Web Studio and InTouch Machine Edition HMI/SCADA software.

George Lashenko, a researcher with industrial cybersecurity firm CyberX, discovered that some versions of InTouch 2014 and 2017 are affected by a critical stack-based buffer overflow vulnerability. The flaw is tracked as CVE-2018-10628 and it has been assigned a CVSS score of 9.8.AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

“InTouch provides the capability for an HMI client to read and write tags defined in a view. A remote unauthenticated user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability with potential for code to be executed while performing a tag-write operation on a locale that does not use a dot floating point separator. The code would be executed under the privileges of the InTouch View process and could lead to a compromise of the InTouch HMI,” AVEVA wrote in its advisory.

David Atch, VP of research at CyberX, told SecurityWeek that the vulnerability can be exploited remotely from the Internet if the targeted system is exposed to the Web. The attacker can take control of the HMI by directly sending it specially crafted packets, but the attack can also involve a piece of malware designed to send the malicious packets to the HMI.

“This provides the attacker with full control of the ICS process, enabling them to manipulate process parameters and potentially cause destructive actions like allowing pressure or temperature in a mixing tank to rise above acceptable levels,” Atch explained.

AVEVA released InTouch 2017 Update 2 HF-17_2 /CR149706 and InTouch 2014 R2 SP1 HF-11_1_SP1 /CR149705 on July 13 to patch the vulnerability.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Separately, researchers at Tenable discovered another critical remote code execution vulnerability. The security hole, tracked as CVE-2018-10620 with a CVSS score of 9.8, impacts both InTouch Machine Edition and InduSoft Web Studio.

Advertisement. Scroll to continue reading.

“InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under the privileges of the Indusoft Web Studio or InTouch Machine Edition runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” AVEVA said in its advisory.

The company patched the flaw on July 13 with the release of Hotfix 81.1.00.08 for each of the impacted products.

“These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks,” Tenable said in a blog post, which includes technical details and a PoC exploit.

The flaw is similar to one disclosed by Tenable in early May, but it’s triggered via a different command.

Related: Schneider Electric Patches Critical Flaw in HMI Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights