ARC Informatique PcVue (Update A)

Monitor5.5ICS-CERT ICSA-22-235-01Aug 23, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

PcVue 12 and PcVue 15 OAuth web service configurations fail to properly protect the database, allowing a local user to read sensitive authentication and configuration data without elevated privileges. All versions of PcVue 12 and 15 are affected. The vulnerability impacts the security of operator credentials and system integration settings stored in the OAuth web service.

What this means

What could happen

An attacker with local access to the PcVue system could read sensitive data from the OAuth web service database, potentially including authentication credentials or user information used to control the SCADA system.

Who's at risk

Water treatment and municipal electric utilities running ARC Informatique PcVue 12 or PcVue 15 for SCADA systems and historian functions. The vulnerability affects the OAuth web service configuration on these platforms, which may be used for operator authentication and system integration.

How it could be exploited

An attacker with a local user account on the PcVue server could directly access the OAuth web service database files to extract stored credentials or configuration data. This requires local system access but no elevated privileges.

Prerequisites

Local user account on the PcVue server
Access to the file system where the OAuth database is stored
PcVue 12 (all versions up to at least 12.0.27) or PcVue 15 (all versions up to at least 15.2.3)

No patch availableAffects SCADA authentication systemRequires local access but no elevated privilegesData exposure (credentials, configuration)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

PcVue 12 OAuth web service configuration:< 12.0.27No fix (EOL)

PcVue 15 OAuth web service configuration: all versionsAll versionsNo fix (EOL)

PcVue 15 OAuth web service configuration:< 15.2.3No fix (EOL)

PcVue 12 OAuth web service configuration: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local access to PcVue servers to authorized engineering and operations staff only

WORKAROUNDDisable or isolate the OAuth web service if it is not actively used for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor access logs to the PcVue file system for unauthorized data access attempts

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PcVue 12 OAuth web service configuration:, PcVue 15 OAuth web service configuration: all versions, PcVue 15 OAuth web service configuration:, PcVue 12 OAuth web service configuration: all versions. Apply the following compensating controls:

HARDENINGPlace PcVue systems behind a firewall and segment them from the business network

CVEs (1)

CVE-2022-2569

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9f372799-cc1c-4d71-aa22-9d1e549cdc08