Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

AVEVA merged with Schneider Electric earlier this year and took over the France-based industrial giant’s Avantis and Wonderware brands. The Wonderware portfolio includes the InduSoft Web Studio and InTouch Machine Edition HMI/SCADA software.

George Lashenko, a researcher with industrial cybersecurity firm CyberX, discovered that some versions of InTouch 2014 and 2017 are affected by a critical stack-based buffer overflow vulnerability. The flaw is tracked as CVE-2018-10628 and it has been assigned a CVSS score of 9.8.AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

“InTouch provides the capability for an HMI client to read and write tags defined in a view. A remote unauthenticated user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability with potential for code to be executed while performing a tag-write operation on a locale that does not use a dot floating point separator. The code would be executed under the privileges of the InTouch View process and could lead to a compromise of the InTouch HMI,” AVEVA wrote in its advisory.

David Atch, VP of research at CyberX, told SecurityWeek that the vulnerability can be exploited remotely from the Internet if the targeted system is exposed to the Web. The attacker can take control of the HMI by directly sending it specially crafted packets, but the attack can also involve a piece of malware designed to send the malicious packets to the HMI.

“This provides the attacker with full control of the ICS process, enabling them to manipulate process parameters and potentially cause destructive actions like allowing pressure or temperature in a mixing tank to rise above acceptable levels,” Atch explained.

AVEVA released InTouch 2017 Update 2 HF-17_2 /CR149706 and InTouch 2014 R2 SP1 HF-11_1_SP1 /CR149705 on July 13 to patch the vulnerability.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Separately, researchers at Tenable discovered another critical remote code execution vulnerability. The security hole, tracked as CVE-2018-10620 with a CVSS score of 9.8, impacts both InTouch Machine Edition and InduSoft Web Studio.

“InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under the privileges of the Indusoft Web Studio or InTouch Machine Edition runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” AVEVA said in its advisory.

The company patched the flaw on July 13 with the release of Hotfix 81.1.00.08 for each of the impacted products.

“These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks,” Tenable said in a blog post, which includes technical details and a PoC exploit.

The flaw is similar to one disclosed by Tenable in early May, but it’s triggered via a different command.

Related: Schneider Electric Patches Critical Flaw in HMI Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.