ICSA-21-231-01_AVEVA SuiteLink Server
Plan Patch8.1ICS-CERT ICSA-21-231-01Aug 19, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Multiple memory corruption vulnerabilities (CWE-122, CWE-476, CWE-755) in AVEVA SuiteLink Server affect MES, Batch Management, InTouch, Communication Drivers Pack, System Platform, Data Acquisition Servers, Historian, and Operations Integration Core. These vulnerabilities allow remote code execution without authentication or user interaction.
What this means
What could happen
An attacker could remotely execute arbitrary code on AVEVA servers, potentially taking control of manufacturing execution, data collection, or historian systems that directly manage production scheduling, batch tracking, and operational data. This could disrupt production, corrupt batch records, or alter historical process data.
Who's at risk
Manufacturing and utilities operations that rely on AVEVA Manufacturing Execution Systems (MES), batch management, InTouch HMI, System Platform, Historian, or Data Acquisition Servers for production scheduling, process supervision, and historical logging. This includes pharmaceutical, chemical, food & beverage, and discrete manufacturing plants, as well as water and electric utilities using these platforms for operational data collection and reporting.
How it could be exploited
An attacker with network access to a vulnerable AVEVA SuiteLink Server can send a specially crafted network request to trigger a memory corruption flaw (buffer overflow or null pointer dereference). This bypasses authentication and causes the server process to execute attacker-supplied code with the privileges of the service account, typically system or administrator level on the OT network.
Prerequisites
- Network reachability to the vulnerable AVEVA server port (typically 502, 20000, or 20001 depending on the component)
- AVEVA SuiteLink Server running an affected version
- No valid credentials or authentication bypass required
remotely exploitableno authentication requiredmemory corruption vulnerabilityno patch available (advisory states)affects production critical systemshigh CVSS score (8.1)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
AVEVA MES: 2014 R2 and all prior versions< 2014 R2No fix (EOL)
AVEVA Batch Management: 2020 and all prior versions< 2014 R2No fix (EOL)
AVEVA InTouch: 2020 R2 P01 and all prior versions≤ 2020No fix (EOL)
AVEVA Communication Drivers Pack: 2020 R2 and all prior versions≤ 2020 R2No fix (EOL)
AVEVA System Platform: 2020 R2 P01 and all prior versions≤ 2020 R2 P01No fix (EOL)
AVEVA Data Acquisition Servers: all versionsAll versionsNo fix (EOL)
AVEVA Historian: 2020 R2 P01 and all prior versions≤ 2020 R2 P01No fix (EOL)
AVEVA Operations Integration Core: 3.0 and all prior versions3.0 and <No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGNetwork segmentation: Ensure AVEVA servers are not directly reachable from the internet or untrusted networks. Place them behind a firewall with explicit allow rules for only authorized engineering workstations and historian clients.
HARDENINGIf remote access is required, deploy a VPN with strong authentication (multi-factor if possible) and keep VPN software current with security patches.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to and from AVEVA servers for anomalous patterns or connections from unexpected sources.
HOTFIXContact AVEVA for clarification on patch availability; advisory states no fix is available, but recommends applying security updates per AVEVA-2021-003 bulletin. Verify with vendor whether updates exist or if product end-of-life status applies.
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/404198db-31fd-4226-9d16-cbfe91db7173