Ocean Data Systems Dream Report

Plan Patch7.8ICS-CERT ICSA-24-226-08Aug 13, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Dream Report 2023 (versions ≤23.0.17795.1010) and AVEVA Reports for Operations 2023 (version 23.0.17795.1010) contain path traversal (CWE-22) and improper file permission (CWE-732) vulnerabilities. Successful exploitation allows an attacker with local access to perform privilege escalation, read/write sensitive files outside intended directories, execute arbitrary code, and cause denial-of-service conditions. The vulnerabilities affect report generation and operational monitoring capabilities.

What this means

What could happen

An attacker with local access could run arbitrary commands on the Dream Report or AVEVA Reports system with elevated privileges, potentially disrupting report generation, data visualization, or control system monitoring capabilities.

Who's at risk

This affects utilities and industrial facilities using Dream Report 2023 or AVEVA Reports for Operations 2023 for process monitoring, data visualization, and operational reporting. Water authorities, power generation facilities, and any operation relying on these systems for supervisory control or operational decision-making should prioritize remediation.

How it could be exploited

An attacker with local or low-privilege access to a Dream Report or AVEVA Reports workstation exploits a path traversal or permission flaw to read/write files outside intended directories, then uses those permissions to escalate privileges and execute arbitrary commands on the system.

Prerequisites

Local or low-privilege account access to the affected workstation
Dream Report 2023 version 23.0.17795.1010 or earlier, or AVEVA Reports for Operations 2023 version 23.0.17795.1010
No requirement for valid credentials if running as local service account

Low local/network complexity exploitationHigh impact: privilege escalation and code execution possibleFile traversal and permission flaws allow unauthorized accessNo patch available yet for version 23.0.17795.1010 (patch delayed pending upgrade path)Affects operational visibility and reporting systems

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

AVEVA Reports for Operations 2023: 23.0.17795.101023.0.17795.10102023 R2 or later

Dream Report 2023: <=23.0.17795.1010≤ 23.0.17795.101023.3.18952.0523

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to Dream Report and AVEVA Reports systems from business networks using firewall rules; require VPN for remote access if available

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Dream Report 2023 to version 23.3.18952.0523 or later

HOTFIXUpgrade AVEVA Reports for Operations 2023 to version 2023 R2 or later and apply AVEVA-2024-006 security update

Long-term hardening

0/2

HARDENINGIsolate Dream Report and AVEVA Reports workstations to dedicated OT networks or air-gapped segments where feasible

HARDENINGImplement local access controls and monitor for unauthorized local account creation or privilege escalation attempts on affected systems

CVEs (2)

CVE-2024-6618 CVE-2024-6619

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/af6e2ba0-52f5-4acf-9838-36880df7c0fc