ARC Informatique PcVue HMI/SCADA ActiveX Vulnerabilities

Act NowICS-CERT ICSA-11-340-01Sep 8, 2011

Summary

ARC Informatique PcVue, FrontVue, and PlantVue HMI/SCADA software contain vulnerabilities in ActiveX controls that allow arbitrary code execution. These vulnerabilities are the result of buffer overflow (CWE-121) and integer overflow (CWE-190) flaws. Exploitation requires a user with the vulnerable software installed to interact with malicious content containing a crafted ActiveX control. No vendor patch is available for any of the affected products.

What this means

What could happen

An attacker with network access to a system running PcVue, FrontVue, or PlantVue could execute arbitrary code through malicious ActiveX controls, potentially allowing them to manipulate SCADA operations or disrupt production monitoring and control.

Who's at risk

This affects energy utilities and manufacturing facilities that use ARC Informatique SCADA/HMI software (PcVue, FrontVue, PlantVue) for process monitoring and control. Engineering workstations, operator consoles, and any system running these products are at risk if users can access untrusted web content or email.

How it could be exploited

An attacker could craft a malicious web page or email containing a specially crafted ActiveX control. If a user opens this content on a system with the vulnerable software installed, the ActiveX control executes with the same privileges as the user, potentially giving the attacker control over the SCADA/HMI interface.

Prerequisites

ActiveX control execution enabled in web browser or email client on the target system
User with access to the vulnerable HMI/SCADA software must open malicious content
Vulnerable ARC Informatique product (PcVue 6.xx+, FrontVue any version, or PlantVue any version) installed on the system

no patch availablehigh EPSS score (24.9%)affects SCADA/HMI systemsbuffer overflow and integer overflow vulnerabilities (CWE-121, CWE-190)

Exploitability

High exploit probability (EPSS 24.9%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

PcVue: >=6.xx≥ 6.xxNo fix (EOL)

FrontVue: vers:all/*All versionsNo fix (EOL)

PlantVue: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable ActiveX control execution in web browsers and email clients on systems running PcVue, FrontVue, or PlantVue

Mitigations - no patch available

0/4

The following products have reached End of Life with no planned fix: PcVue: >=6.xx, FrontVue: vers:all/*, PlantVue: vers:all/*. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate HMI/SCADA systems from general office networks and internet-facing systems

HARDENINGRestrict user access to web browsing and email on engineering workstations running these HMI/SCADA products

HARDENINGDeploy application whitelisting to prevent execution of unauthorized ActiveX controls

HARDENINGMonitor for and block ActiveX control execution attempts on networks hosting PcVue, FrontVue, or PlantVue systems

CVEs (2)

CVE-2011-4042 CVE-2011-4043

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1bf1762f-ea2b-49c9-ad02-321e8a23b27c