AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere
Monitor7.4ICS-CERT ICSA-22-130-05May 10, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
AVEVA InTouch Access Anywhere and AVEVA Plant SCADA Access Anywhere contain an improper restriction vulnerability (CWE-668) that allows authenticated users to escape the application sandbox context and execute arbitrary operating system commands on the server. The vulnerability exists in all versions of both products and can be exploited by an authenticated user with network access to the remote access application. No patch is available from the vendor.
What this means
What could happen
An authenticated user with access to InTouch Access Anywhere or Plant SCADA Access Anywhere can escape the application sandbox and execute arbitrary commands on the server operating system, potentially gaining control over plant operations and data.
Who's at risk
This vulnerability affects water utilities and electric utilities running AVEVA InTouch Access Anywhere or AVEVA Plant SCADA Access Anywhere for remote operator access to HMI (human machine interface) systems. Remote access gateways and application servers are the primary targets.
How it could be exploited
An attacker with valid credentials to the remote access application (InTouch Access Anywhere or Plant SCADA Access Anywhere) could bypass application restrictions through the Windows language bar to access the underlying operating system and execute arbitrary OS commands with the privileges of the application server process.
Prerequisites
- Valid authenticated credentials for InTouch Access Anywhere or Plant SCADA Access Anywhere
- Network access to the remote access application over the Internet or corporate network
- Windows language bar enabled on the server hosting the application
- The compromised user account must have OS-level privileges that allow command execution
Authenticated access requiredNetwork accessible from remote locationsNo patch available (end-of-life products)Affects remote operator access to critical control systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
AVEVA InTouch Access Anywhere: All versionsAll versionsNo fix (EOL)
AVEVA Plant SCADA Access Anywhere (formerly known as AVEVA Citect Anywhere and Schneider Electric Citect Anywhere): All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/4HARDENINGDisable the Windows language bar on servers hosting InTouch Access Anywhere and Plant SCADA Access Anywhere unless operationally required
HARDENINGCreate dedicated user accounts with minimal operating system privileges solely for remote access to InTouch Access Anywhere and Plant SCADA Access Anywhere
HARDENINGConfigure Windows group policy objects (GPOs) to restrict actions permitted by remote access user accounts
HARDENINGRestrict network access to remote access servers using Microsoft's recommended block list
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGImplement network segmentation to isolate SCADA and control system networks from the business network and Internet
HARDENINGRequire VPN with multi-factor authentication for any remote access to InTouch Access Anywhere and Plant SCADA Access Anywhere
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3120e18d-7ed2-40e9-b530-9d6162d36fad