OTPulse
FeedAboutContact

AVEVA Vijeo Citect and CitectSCADA

Monitor6.5ICS-CERT ICSA-19-150-01May 30, 2019
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in AVEVA Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, allows a locally authenticated user to obtain Citect user credentials. The vulnerability stems from insecure credential storage, allowing an attacker with local system access to read and recover user passwords. This is not exploitable remotely and requires valid login credentials to the underlying operating system.

What this means
What could happen
A local user with valid credentials can extract stored Citect user credentials from the system, potentially allowing them to escalate privileges or move laterally to other systems or accounts.
Who's at risk
Energy utilities and critical infrastructure operators running AVEVA Citect or CitectSCADA for HMI and SCADA operations are affected. This is most relevant to engineering teams and system administrators who manage these platforms, as well as any operators with local access to the Citect servers or engineering workstations.
How it could be exploited
An attacker with local login access and low privileges can read credential storage locations on the affected system to recover plaintext or weakly protected Citect user passwords. This requires interactive access to the machine where Citect is installed.
Prerequisites
  • Local login access to the Citect server or engineering workstation
  • Valid non-administrative user credentials on the affected system
  • Access to the filesystem where Citect stores user credentials
No authentication required if attacker has local loginLow complexity attack requiring only local filesystem accessAffects credential management and control system accessVijeo Citect 7.30/7.40 have no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
Vijeo Citect: 7.30 and 7.407.30 | 7.40No fix (EOL)
CitectSCADA: 7.30 and 7.407.30 | 7.402018 or later
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGFor Vijeo Citect 7.30 and 7.40 (which have no patch available), restrict local login access and enforce strong access controls to limit who can log into Citect servers
WORKAROUNDReview and rotate all Citect user credentials after patch deployment or as a compensating control
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CitectSCADA to version 2018 or later
HARDENINGImplement least privilege: ensure only operators and engineers who need access to Citect have local login rights
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/43d4d306-9dd3-4108-b74f-39e31a9fb5bf