AVEVA Vijeo Citect and Citect SCADA (Update A)

Plan Patch7.5ICS-CERT ICSA-19-290-01Oct 17, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The IEC870IP driver in AVEVA Vijeo Citect, Citect SCADA, and Schneider Electric Power SCADA Operation versions 4.14.02 and prior contains a buffer overflow vulnerability (CWE-121) in the IEC 60870-5-104 protocol handler. A remote attacker can send a specially crafted packet to the driver's listening port to overflow a fixed-size buffer, causing the server process to crash and denying service to all remote devices (RTUs, substations) connected through that gateway. The vulnerability requires network access to the driver port but no authentication or user interaction.

What this means

What could happen

A buffer overflow in the IEC870IP driver could cause the SCADA server to crash, interrupting communications with remote devices and potentially stopping automated control of connected substations or generation assets.

Who's at risk

Electric utilities and power generation facilities using AVEVA Vijeo Citect, Citect SCADA, or Schneider Electric Power SCADA Operation to communicate with remote substations or generation equipment via the IEC 60870-5-104 protocol (IEC870IP driver). This affects any organization managing distributed energy assets that rely on this SCADA gateway.

How it could be exploited

An attacker with network access to the IEC870IP driver (typically listening on port 2404 for IEC 60870-5-104 protocol) sends a specially crafted packet to trigger the buffer overflow. The malformed message overflows a fixed-size buffer, causing the server process to crash and denying service to all connected clients.

Prerequisites

Network-accessible IEC870IP driver port (default 2404)
No authentication required—the vulnerability is triggered by the packet structure itself

remotely exploitableno authentication requiredlow complexityno patch available for older versionsaffects SCADA communications infrastructuredefault protocol port

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

IEC870IP driver: v4.14.02 and prior≤ 4.14.024.15.00

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the IEC870IP driver port (default 2404) using firewall rules; allow only known RTU/substation IPs

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade IEC870IP driver to version 4.15.00 or later

Long-term hardening

0/2

HARDENINGIsolate SCADA server network from business network and Internet-facing systems using air gaps or demilitarized zones

HARDENINGImplement intrusion detection signatures for malformed IEC 60870-5-104 packets to the IEC870IP driver

CVEs (1)

CVE-2019-13537

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/808aa24d-a4d3-4053-b1d6-3644fe555df0