OTPulse
FeedAboutContact

AVEVA InTouch

Act Now9.8ICS-CERT ICSA-18-200-02Jul 19, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A stack-based buffer overflow vulnerability exists in AVEVA InTouch HMI software when processing floating-point numbers from network requests. Systems running locales that use a comma (,) instead of a dot (.) as the decimal separator are vulnerable. An unauthenticated remote attacker can send a specially crafted network packet to the InTouch View service to trigger the overflow and execute arbitrary code with the privileges of the InTouch process. Affected versions include InTouch 2014 R2 SP1 and all 2017 versions prior to Update 2 with the corresponding hotfix applied.

What this means
What could happen
An unauthenticated attacker could execute arbitrary code on an InTouch HMI with the privileges of the View process, potentially allowing them to manipulate process setpoints, halt production, or alter alarms and historical data.
Who's at risk
Manufacturing facilities using AVEVA InTouch as their primary HMI platform, especially those with human-machine interface systems in control rooms that operate with European or other non-English locales that use comma as the decimal separator instead of a period.
How it could be exploited
An attacker sends a specially crafted network request to the InTouch View service (typically port 7381 or similar). The vulnerability exists in floating-point number parsing when the system locale does not use a dot (.) as the decimal separator. The malformed input triggers a buffer overflow, allowing code execution without authentication.
Prerequisites
  • Network access to InTouch View service port
  • System locale configured to not use dot (.) as floating point separator (e.g., European locales using comma)
  • InTouch service running and accessible
Remotely exploitableNo authentication requiredLow complexity attackBuffer overflow (memory corruption)Affects HMI/visualization systemsDefault configurations vulnerable (locale-based)
Exploitability
Moderate exploit probability (EPSS 7.0%)
Affected products (4)
4 pending
ProductAffected VersionsFix Status
InTouch: 2014 R2 SP1 and prior≤ 2014 R2 SP1No fix yet
InTouch: 2017 Update 2≤ 2017 Update 2No fix yet
InTouch: 20172017No fix yet
InTouch: 2017 Update 12017 Update 1No fix yet
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor InTouch 2014 R2 SP1: Apply hotfix HF-11_1_SP1/CR149705
HOTFIXFor InTouch 2017 Update 2: Apply hotfix HF-17_2/CR149706
HOTFIXFor InTouch 2017 or 2017 Update 1: Upgrade to InTouch 2017 Update 2, then apply hotfix HF-17_2/CR149706
Long-term hardening
0/3
HARDENINGImplement network segmentation: isolate InTouch systems from the business network and the Internet
HARDENINGPlace InTouch systems behind a firewall with egress/ingress rules that deny unauthorized access to InTouch View service ports
HARDENINGIf remote access is required, enforce VPN-based access with up-to-date software
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7af464a7-06a3-4ad2-903b-dc8da8944314
AVEVA InTouch | CVSS 9.8 - OTPulse