AVEVA PCS Portal
Monitor7.3ICS-CERT ICSA-21-252-01Sep 9, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
DLL hijacking vulnerability in AVEVA Platform Common Services (PCS) Portal affecting versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6. An attacker with local access can place a malicious DLL in the application's search path to achieve code execution with the privileges of the PCS Portal user. The vulnerability is not remotely exploitable. Fixes are available: PCS 4.5.3 for newer product versions and PCS 4.4.7 for 2020 product releases.
What this means
What could happen
A user could be tricked into running malicious code through DLL hijacking, giving an attacker the ability to execute arbitrary commands with the privileges of the PCS Portal application, potentially compromising data integrity and availability of AVEVA systems.
Who's at risk
AVEVA PCS Portal operators and administrators at organizations running AVEVA enterprise systems (System Platform, Mobile Operator, Enterprise Data Management, Manufacturing Execution System, Batch Management, and Work Tasks). This affects anyone with direct local access to systems running these affected AVEVA products.
How it could be exploited
An attacker must first gain local access to a system running PCS Portal and place a malicious DLL in a location that the application searches for libraries (such as the application directory or a user-writable folder). When a user with PCS Portal permissions runs the application or opens a file that triggers DLL loading, the malicious DLL is loaded instead of the legitimate one, allowing code execution in the context of that user.
Prerequisites
- Local access to the affected system
- User must run PCS Portal or trigger a file operation that loads DLLs
- Ability to write files to a directory in the DLL search path (e.g., application directory, current working directory, or temp folder)
- Valid user account to run the PCS Portal application
Local access requiredLow complexity attackUser interaction requiredNo public exploits availableNo authentication bypass
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
PCS:4.5.2 | 4.5.1 | 4.5.0 | 4.4.6No fix yet
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDHard-code DLL search paths to known-safe system directories instead of allowing dynamic paths
WORKAROUNDRestrict environment variables and search paths to prevent loading DLLs from user-writable locations like the current working directory or temp folders
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade PCS to version 4.5.3 for AVEVA Mobile Operator 2020, AVEVA Enterprise Data Management 2021, AVEVA System Platform 2020 R2 P01, AVEVA System Platform 2020 R2, and AVEVA Work Tasks 2020 Update 1
HOTFIXUpgrade PCS to version 4.4.7 for AVEVA System Platform 2020, AVEVA Work Tasks 2020, AVEVA Manufacturing Execution System 2020, and AVEVA Batch Management 2020
Long-term hardening
0/2HARDENINGUse fully qualified pathnames when invoking external programs to prevent DLL search path confusion
HARDENINGImplement file integrity monitoring or restrict write permissions on directories where PCS Portal loads libraries
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b2902ee4-c5b6-4a72-8bb1-470efab627b2