AVEVA Operations Control Logger

MonitorCVSS 7.8ICS-CERT ICSA-23-318-01Nov 14, 2023

AVEVAEnergyManufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AVEVA Operations Control Logger in multiple product suites contains privilege escalation and denial of service vulnerabilities. The affected products include SystemPlatform, Historian, Application Server, InTouch, Enterprise Licensing, Manufacturing Execution System, Recipe Management, Batch Management, Edge, Worktasks, Plant SCADA, Mobile Operator, Communication Drivers Pack, and Telemetry Server. All affected versions are 2020 R2 SP1 P01 or earlier (with version-specific cutoffs for each product). Successful exploitation could allow privilege escalation or denial of service.

What this means

What could happen

An attacker with local access to a node running the Operations Control Logger could escalate their privileges to run commands with higher permissions, potentially disrupting operations or modifying plant configurations. Alternatively, the attacker could cause a denial of service that stops logging and monitoring functions critical to plant visibility.

Who's at risk

Energy and manufacturing organizations running AVEVA Operations Control Logger in any of their product suites (SystemPlatform, Historian, Application Server, InTouch, Enterprise Licensing, Manufacturing Execution System, Recipe Management, Batch Management, Edge, Worktasks, Plant SCADA, Mobile Operator, Communication Drivers Pack, or Telemetry Server) are affected. This includes utilities using AVEVA for SCADA, historical data logging, batch and recipe management, and production scheduling.

How it could be exploited

An attacker with a local account on the server running the Operations Control Logger could exploit this vulnerability to escalate privileges. The attack requires local system access; it is not remotely exploitable. Once privileges are escalated, the attacker could modify process parameters, stop operations, or disable safety logging.

Prerequisites

Local user account on the system running the Operations Control Logger
Physical or remote desktop access to the affected AVEVA system
The affected AVEVA product (SystemPlatform, Historian, InTouch, etc.) must be installed and running

No patch available for any affected productRequires local user account but privilege escalation possibleAffects critical visibility and logging systems in plantsLow complexity attack once local access is obtained

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (14)

14 EOL

ProductAffected VersionsFix Status

SystemPlatform: <=2020_R2_SP1_P01≤ 2020 R2 SP1 P01No fix (EOL)

Historian: <=2020_R2_SP1_P01≤ 2020 R2 SP1 P01No fix (EOL)

Application Server: <=2020_R2_SP1_P01≤ 2020 R2 SP1 P01No fix (EOL)

InTouch: <=2020_R2_SP1_P01≤ 2020 R2 SP1 P01No fix (EOL)

Enterprise Licensing (formerly known as License Manager): <=3.7.002≤ 3.7.002No fix (EOL)

Manufacturing Execution System (formerly known as Wonderware MES): <=2020_P01≤ 2020 P01No fix (EOL)

Recipe Management: <=2020_R2_Update_1_Patch_2≤ 2020 R2 Update 1 Patch 2No fix (EOL)

Batch Management: <=2020_SP1≤ 2020 SP1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGDisable or delete any Guest or Anonymous local OS accounts on systems running the Operations Control Logger

HARDENINGRestrict login access on nodes running the Operations Control Logger to trusted users only; audit and remove unnecessary local accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXReview AVEVA Security Bulletin AVEVA-2023-003 for product-specific security updates and apply them in a scheduled maintenance window when available

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SystemPlatform: <=2020_R2_SP1_P01, Historian: <=2020_R2_SP1_P01, Application Server: <=2020_R2_SP1_P01, InTouch: <=2020_R2_SP1_P01, Enterprise Licensing (formerly known as License Manager): <=3.7.002, Manufacturing Execution System (formerly known as Wonderware MES): <=2020_P01, Recipe Management: <=2020_R2_Update_1_Patch_2, Batch Management: <=2020_SP1, Edge (formerly known as Indusoft Web Studio): <=2020_R2_SP1_P01, Worktasks (formerly known as Workflow Management): <=2020_U2, Mobile Operator (formerly known as IntelaTrac Mobile Operator Rounds): <=2020_R1, Communication Drivers Pack: <=2020_R2_SP1, Telemetry Server: <=2020_R2_SP1, Plant SCADA (formerly known as Citect): <=2020_R2_Update_15. Apply the following compensating controls:

HARDENINGIsolate AVEVA systems from the business network using firewalls and network segmentation to limit local access to trusted engineering workstations only

HARDENINGImplement the principle of least privilege for all user accounts on AVEVA systems; regularly audit and remove unnecessary accounts or permissions

CVEs (2)

CVE-2023-33873 CVE-2023-34982

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90441c3e-6a80-4abc-a754-f1c69772dc33

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.