AVEVA InTouch

Plan PatchCVSS 9.8ICS-CERT ICSA-18-200-02Jul 19, 2018

AVEVAManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A stack-based buffer overflow vulnerability exists in AVEVA InTouch HMI software when processing floating-point numbers from network requests. Systems running locales that use a comma (,) instead of a dot (.) as the decimal separator are vulnerable. An unauthenticated remote attacker can send a specially crafted network packet to the InTouch View service to trigger the overflow and execute arbitrary code with the privileges of the InTouch process. Affected versions include InTouch 2014 R2 SP1 and all 2017 versions prior to Update 2 with the corresponding hotfix applied.

What this means

What could happen

An unauthenticated attacker could execute arbitrary code on an InTouch HMI with the privileges of the View process, potentially allowing them to manipulate process setpoints, halt production, or alter alarms and historical data.

Who's at risk

Manufacturing facilities using AVEVA InTouch as their primary HMI platform, especially those with human-machine interface systems in control rooms that operate with European or other non-English locales that use comma as the decimal separator instead of a period.

How it could be exploited

An attacker sends a specially crafted network request to the InTouch View service (typically port 7381 or similar). The vulnerability exists in floating-point number parsing when the system locale does not use a dot (.) as the decimal separator. The malformed input triggers a buffer overflow, allowing code execution without authentication.

Prerequisites

Network access to InTouch View service port
System locale configured to not use dot (.) as floating point separator (e.g., European locales using comma)
InTouch service running and accessible

Remotely exploitableNo authentication requiredLow complexity attackBuffer overflow (memory corruption)Affects HMI/visualization systemsDefault configurations vulnerable (locale-based)

Exploitability

Some exploitation risk — EPSS score 7.0%

Affected products (4)

4 pending

ProductAffected VersionsFix Status

InTouch: 2014 R2 SP1 and prior≤ 2014 R2 SP1No fix yet

InTouch: 2017 Update 2≤ 2017 Update 2No fix yet

InTouch: 20172017No fix yet

InTouch: 2017 Update 12017 Update 1No fix yet

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor InTouch 2014 R2 SP1: Apply hotfix HF-11_1_SP1/CR149705

HOTFIXFor InTouch 2017 Update 2: Apply hotfix HF-17_2/CR149706

HOTFIXFor InTouch 2017 or 2017 Update 1: Upgrade to InTouch 2017 Update 2, then apply hotfix HF-17_2/CR149706

Long-term hardening

0/3

HARDENINGImplement network segmentation: isolate InTouch systems from the business network and the Internet

HARDENINGPlace InTouch systems behind a firewall with egress/ingress rules that deny unauthorized access to InTouch View service ports

HARDENINGIf remote access is required, enforce VPN-based access with up-to-date software

CVEs (1)

CVE-2018-10628

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7af464a7-06a3-4ad2-903b-dc8da8944314

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.