AVEVA Vijeo Citect and Citect SCADA Floating License Manager

Plan PatchCVSS 9.8ICS-CERT ICSA-19-192-05Jul 11, 2019

Schneider ElectricAVEVAEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vijeo Citect and Citect SCADA Floating License Manager versions 2.3.0.0 and earlier contain input validation flaws (CWE-20, CWE-119) that could allow an attacker with network access to deny the acquisition of valid licenses for legal use of the product. This affects users managing software licensing for Vijeo Citect or Citect SCADA version 7.30 and later. AVEVA has released Floating License Manager version 2.3.1.0 as a fix, available via SESU.

What this means

What could happen

An attacker could deny legitimate users from obtaining valid software licenses for Vijeo Citect or Citect SCADA, potentially preventing authorized access to the SCADA system and disrupting plant operations if license verification fails.

Who's at risk

Energy utilities and industrial facilities using Vijeo Citect or Citect SCADA Version 7.30 and later with Floating License Manager deployments should review this advisory. The license manager is critical infrastructure software that verifies legal use of the SCADA platform.

How it could be exploited

An attacker with network access to the Floating License Manager service could send malformed input or exploit input validation flaws to cause the license manager to reject or deny valid license requests, effectively blocking legal software licensing.

Prerequisites

Network access to the Floating License Manager service port
Floating License Manager version 2.3.0.0 or earlier deployed on the network

remotely exploitableno authentication requiredlow complexitycritical severityaffects license verification for SCADA systems

Exploitability

Some exploitation risk — EPSS score 4.4%

Affected products (1)

ProductAffected VersionsFix Status

Vijeo Citect and Citect SCADA Floating License Manager - Floating License Manager≤ 2.3.0.02.3.1.0

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to the Floating License Manager to only authorized engineering workstations and control system devices that require license verification

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Floating License Manager to version 2.3.1.0 or later via SESU (Schneider Electric Software Update tool)

WORKAROUNDIf remote access to the Floating License Manager is required, deploy a VPN or other secure tunneling mechanism and keep it updated to the latest version

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the Floating License Manager from the Internet and place it behind a firewall

CVEs (4)

CVE-2018-20031 CVE-2018-20032 CVE-2018-20033 CVE-2018-20034

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b051896b-68ef-49ed-aa20-8f9240abd7d6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.