AVEVA InduSoft Web Studio and InTouch Machine Edition

Act Now9.8ICS-CERT ICSA-18-200-01Jul 19, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

InduSoft Web Studio and InTouch Machine Edition are vulnerable to remote code execution when the TCP/IP Server Task is enabled. A remote attacker can send a crafted network packet during tag, alarm, or event operations (read/write actions) that triggers a stack-based buffer overflow, leading to arbitrary code execution. The vulnerability affects InduSoft Web Studio v8.1 and v8.1 SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1.

What this means

What could happen

An attacker could execute arbitrary code on a device running InduSoft Web Studio or InTouch Machine Edition with the TCP/IP Server Task enabled, potentially allowing them to modify tag values, override alarms, or stop plant operations entirely.

Who's at risk

Water authorities and electric utilities using AVEVA InduSoft Web Studio or InTouch Machine Edition for HMI/SCADA operations. Any facility relying on these products for real-time process monitoring, tag management, or alarm handling is affected if the TCP/IP Server Task is enabled.

How it could be exploited

An attacker sends a specially crafted network packet to the TCP/IP Server Task port during tag, alarm, or event operations (read/write). The packet exploits a stack-based buffer overflow (CWE-121) in the network message handler, allowing arbitrary code execution with the privileges of the affected application.

Prerequisites

Network reachability to the TCP/IP Server Task port (typically port 2424 or configured alternate)
TCP/IP Server Task must be enabled in the application configuration
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)No patch available for InTouch Machine EditionDefault TCP/IP Server Task may be enabled

Exploitability

Moderate exploit probability (EPSS 5.0%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

InduSoft Web Studio: v8.1 and v8.1SP18.1 | 8.1 SP18.1 SP1 with Hotfix 81.1.00.08

InTouch Machine Edition: v2017 8.1 and v2017 8.1 SP12017 8.1 | 2017 8.1 SP1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXApply InduSoft Web Studio Hotfix 81.1.00.08 immediately after upgrading to v8.1 SP1 (or if already on v8.1 SP1, apply the hotfix directly)

WORKAROUNDFor InTouch Machine Edition v2017 8.1 or 8.1 SP1: monitor vendor communications for availability of a patch; in the interim, disable the TCP/IP Server Task if not required for plant operations

HARDENINGRestrict network access to the TCP/IP Server Task port using firewall rules; only allow connections from trusted engineering workstations or SCADA servers

Mitigations - no patch available

0/1

InTouch Machine Edition: v2017 8.1 and v2017 8.1 SP1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the network containing InduSoft Web Studio or InTouch Machine Edition systems from untrusted networks and the internet

CVEs (1)

CVE-2018-10620

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ab9e5ec7-6510-48d7-b317-9386c4e54331