AVEVA Wonderware License Server

Act NowCVSS 9.8ICS-CERT ICSA-18-212-05Jul 31, 2018

AVEVA

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability (CWE-119) in AVEVA Wonderware License Server, Historian Client, and Information Server allows unauthenticated remote code execution with administrative privileges. The vulnerability affects Historian Client 2014 R4 SP2 P02 and prior, Wonderware License Server v4.0.13100 and prior, and Wonderware Information Server 4.0 SP1 and prior. Successful exploitation could allow an attacker to run arbitrary commands on the License Server with system-level privileges, potentially compromising dependent SCADA and HMI systems.

What this means

What could happen

An attacker could gain remote administrative access to the Wonderware License Server and execute arbitrary commands, potentially disrupting or taking control of SCADA/HMI systems that depend on it for software licensing and data collection.

Who's at risk

Water utilities and electric power operators who rely on Wonderware for SCADA data collection, HMI, and process historian functions. Specifically impacts Historian Client 2014 R4 and earlier, Wonderware License Server v4.0.13100 and earlier, and Wonderware Information Server 4.0 SP1 and earlier. Any facility using these AVEVA products for real-time process monitoring and control system licensing is at risk.

How it could be exploited

An attacker on the network (or Internet-reachable network) sends a malicious network request to the Wonderware License Server (port/service unspecified in advisory). The buffer overflow vulnerability allows the attacker to execute arbitrary code with the privileges of the License Server process, typically SYSTEM or administrator-level.

Prerequisites

Network access to Wonderware License Server service
No authentication required
Affected version 4.0.13100 or prior must be running

remotely exploitableno authentication requiredlow complexityhigh EPSS score (80.5%)affects SCADA/HMI systemsno patch available for some products

Exploitability

Likely to be exploited — EPSS score 80.5%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (3)

1 with fix2 EOL

ProductAffected VersionsFix Status

Wonderware License Server: v4.0.13100 and prior≤ 4.0.13100VU-485744+

Historian Client: 2014 R4 SP2 P02 and prior≤ 2014 R4 SP2 P02No fix (EOL)

Wonderware Information Server: 4.0 SP1 and prior≤ 4.0 SP1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Wonderware License Server to authorized engineering and supervisory networks only; block inbound access from the Internet and untrusted networks at the firewall

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall Hotfix Wonderware License Server VU-485744 or later from Schneider Electric support portal

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Historian Client: 2014 R4 SP2 P02 and prior, Wonderware Information Server: 4.0 SP1 and prior. Apply the following compensating controls:

HARDENINGIsolate Wonderware License Server and Historian Client systems behind a firewall and on a dedicated control network separate from the business IT network

HARDENINGFor remote access, require use of a VPN with current security patches and strong authentication

CVEs (1)

CVE-2015-8277

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/db37554e-8eef-4e8c-9d26-9aa57915a640

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.