AVEVA Vijeo Citect and Citect SCADA

Monitor7.8ICS-CERT ICSA-18-331-01Nov 27, 2018

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in AVEVA Citect SCADA and Vijeo Citect allows arbitrary code execution through improper handling of DLL loading. The vulnerability affects versions 2015, 2016, and v7.40 of both products. No public exploit is known, and this vulnerability is not exploitable remotely.

What this means

What could happen

An attacker with local access to a workstation running Citect SCADA or Vijeo Citect could execute arbitrary code with the privileges of the logged-in user, potentially allowing them to modify process logic, alter control setpoints, or disrupt plant operations.

Who's at risk

This vulnerability affects energy sector operators using AVEVA Citect SCADA systems for plant control and monitoring. Engineering workstations, HMI (Human-Machine Interface) servers, and historian systems running Citect SCADA 2015, 2016, or v7.40, and Vijeo Citect 2015 or v7.40 are at risk if they are accessible to plant personnel or contractors.

How it could be exploited

An attacker must have local access to a workstation running Citect SCADA or Vijeo Citect and must already be logged in with a user account. The attacker would exploit improper DLL loading to place a malicious library in a location where the application searches for dependencies, causing it to load and execute the attacker's code when the application runs.

Prerequisites

Local access to a Citect SCADA or Vijeo Citect workstation
Valid user credentials or physical access to logged-in workstation
Ability to write files to directories searched by the application (typically user home directory or application installation path)
Application must be restarted or process triggered that loads the malicious DLL

Affects SCADA systems used in critical infrastructureLocal code execution on control system workstationsNo patch available from vendorRequires valid user credentials or physical workstation access

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (5)

5 pending

ProductAffected VersionsFix Status

Citect SCADA: 20152015No fix yet

Vijeo Citect: 20152015No fix yet

Citect SCADA: 20162016No fix yet

Citect SCADA: v7.407.4No fix yet

Vijeo Citect: v7.407.4No fix yet

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGRestrict physical and network access to Citect SCADA engineering workstations and HMI servers; limit access to authorized engineers and operators only

HARDENINGEnsure all Citect controllers are kept in RUN mode during normal operations and never left in PROGRAM mode when not actively maintained

WORKAROUNDScan all external media (USB drives, CDs) with current antivirus before use on Citect workstations or connected nodes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDownload and deploy SESU (Schneider Electric Software Update) v2.2.0 or later to affected Citect SCADA and Vijeo Citect installations

Long-term hardening

0/3

HARDENINGStore all Citect programming software and engineering workstations in locked cabinets or secure areas; disconnect them from general corporate networks

HARDENINGImplement a media sanitization process for any laptop or device that has been connected to non-ICS networks before reconnecting to Citect systems

HARDENINGSegment the Citect SCADA network from the corporate IT network using firewalls and air-gapping where possible

CVEs (1)

CVE-2018-7799

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3276847e-ce07-4682-ac4f-bb7e93cbd531