AVEVA System Platform (Update A)

Plan Patch8.8ICS-CERT ICSA-21-180-05Jun 29, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AVEVA System Platform versions 2017 through 2020 R2 P01 contain multiple chained vulnerabilities (CWE-306 missing authentication, CWE-248 uncaught exception, CWE-22 directory traversal, CWE-346/347 authentication weaknesses) in the AutoBuild service and authentication mechanisms. Successful exploitation requires valid credentials and allows an attacker to achieve arbitrary code execution with system privileges or denial-of-service. The AutoBuild service, used during configuration of the GR Node, should only run on the GR Node; if enabled on Runtime nodes, it creates an exploitable attack surface.

What this means

What could happen

An attacker with valid credentials could exploit multiple weaknesses in AVEVA System Platform to run arbitrary code with system privileges, potentially altering process configurations, stopping operations, or causing a denial-of-service condition on the automation server.

Who's at risk

Organizations running AVEVA System Platform versions 2017 through 2020 R2 P01 for manufacturing, water treatment, electric utility SCADA/HMI, or any process automation should assess their exposure. This affects the central automation server and configuration database that controls plant operations. If AutoBuild is enabled on Runtime nodes, the risk is immediate.

How it could be exploited

An attacker with valid user credentials to the System Platform (engineer or operator account) could chain together multiple vulnerabilities in the AutoBuild service or authentication handling to gain code execution with system-level privileges. The vulnerabilities stem from insufficient input validation, missing authentication checks, and directory traversal issues that allow execution of arbitrary commands on the affected node.

Prerequisites

Valid user credentials (engineer or operator account) for System Platform
Network access to the System Platform server or GR Node
AutoBuild service enabled on a Runtime node or GR Node
Ability to reach the vulnerable service component on port(s) used by System Platform

Requires valid credentials but uses weak authentication checksMultiple chained vulnerabilities increase exploit complexity but potential impact is criticalLow exploit probability (0.2% EPSS) but high severity (CVSS 8.8)No patch available for versions 2017 through 2020 R2 P01—only workarounds and driver pack updatesAffects central automation server (potential for widespread operational disruption)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

AVEVA reports the vulnerability affects AVEVA System Platform:≥ 2017 | ≤ 2020 R2 P01No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable AutoBuild service on all Runtime nodes immediately. AutoBuild should only run on the GR Node during configuration.

WORKAROUNDDisable AutoBuild service on the GR Node if AutoBuild functionality is not actively used in your configuration.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor System Platform 2020 R2 P01, 2020 R2, or 2020: upgrade to AVEVA Communication Drivers Pack 2020 R2.1

HOTFIXFor System Platform 2017 U3 SP1 P01: first apply AVEVA Communication Drivers Pack 2020 R2, then apply AVEVA Communication Drivers Pack 2020 R2.1 (requires Activated Licensing)

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate System Platform servers from untrusted networks and the Internet.

HARDENINGRestrict network access to System Platform administrative interfaces using firewall rules; only allow connections from trusted engineering workstations.

CVEs (5)

CVE-2021-33008 CVE-2021-33010 CVE-2021-32981 CVE-2021-32985 CVE-2021-32977

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a8b2bb9-fcab-4eb5-83c6-aaa13b25a467