Cyber Security Updates
Get the latest updates and alerts on Cyber Security and Compliance from AVEVA Software.
Date
Notice Identification Number
Security Vulnerability Description
Detailed Information
Date
June 25, 2021
Notice Identification Number
AVEVA-2021-002
System Platform - Vulnerabilities in AutoBuild Chaining to Arbitrary Code Execution or Denial of Service
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address vulnerabilities in AutoBuild. The vulnerable AutoBuild component is present in AVEVA™ System Platform versions 2017 through 2020 R2 P01 (inclusive). The vulnerabilities, if exploited and chained together, could allow a malicious entity to execute arbitrary code with system privileges or cause a denial of service.
Detailed Information
Date
June 4, 2021
Notice Identification Number
AVEVA-2021-001
InTouch - Cleartext Password in WindowViewer Diagnostic Memory Dumps
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created security updates for supported versions to address a vulnerability that exists in InTouch 2020 R2 and all prior versions. The vulnerability could expose cleartext credentials from InTouch Runtime (WindowViewer) if an authorized, privileged user creates a diagnostic memory dump of the process and saves it to a non-protected location where an unauthorized, malicious user can access it.
Detailed Information
Date
September 9, 2020
Notice Identification Number
AVEVA-2020-001
SQL Injection in AVEVA™ Enterprise Data Management Web (formerly eDNA Web)
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address SQL Injection vulnerabilities in AVEVA™ Enterprise Data Management Web v2019 and all prior versions formerly known as eDNA Web.
Detailed Information
Date
October 15, 2019
Notice Identification Number
LFSEC00000139
IEC870IP Driver for Vijeo Citect and Citect SCADA Vulnerability: Stack-based Buffer Overflow
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) is publishing this bulletin to inform customers of a security vulnerability in the IEC870IP driver v4.14.02 and earlier for Vijeo Citect and Citect SCADA. The vulnerability, if exploited, could allow a buffer overflow to occur.
AVEVA recommends that organizations evaluate the impact of the vulnerability based on their operational environment, architecture, and product implementation.
Detailed Information
Date
May 28, 2019
Notice Identification Number
LFSEC00000136
Vijeo Citect and CitectSCADA Vulnerability - Insecure Credentials Storage
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) is publishing this advisory to inform customers of a security vulnerability in Vijeo Citect 7.30 and 7.40 and CitectSCADA 7.30 and 7.40 versions. The vulnerability, if exploited, could allow a malicious entity to obtain the Citect User Credentials.
Detailed Information
Date
March 18, 2019
Notice Identification Number
LFSEC00000131
InduSoft Web Studio and InTouch Edge HMI - Insecure 3rd Party Component
Security Vulnerability Description
AVEVA Software, LLC ("AVEVA") has created a security update to address an outdated and insecure 3rd party component used in:
- InduSoft Web Studio versions prior to 8.1 SP3
- InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 Update 3
Detailed Information
Date
Feb 04, 2019
Notice Identification Number
LFSEC00000133
InduSoft Web Studio and InTouch Edge HMI – Remote Code Execution Vulnerabilities
Security Vulnerability Description
AVEVA Software, LLC (“AVEVA”) has released a new version of InduSoft Web Studio and InTouch Edge HMI which includes a security update to address vulnerabilities in all versions prior to:
- InduSoft Web Studio versions prior to 8.1 SP3
- InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 Update 3
Detailed Information
Date
January 24, 2019
Notice Identification Number
LFSEC00000135
Wonderware System Platform Vulnerability – Potential for Unauthorized Access to Credentials
Security Vulnerability Description
AVEVA Software, LLC. ("AVEVA") has released a new version of System Platform which includes a security update to address vulnerabilities in Wonderware System Platform 2017 Update 2 and all prior versions.
These vulnerabilities could allow unauthorized access to the credentials for the ArchestrA Network User Account.
Detailed Information
Date
November 19, 2018
Notice Identification Number
LFSEC00000134
Vijeo Citect and Citect SCADA affected by DLL Hijacking vulnerability in a 3rd party component
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has become aware of a vulnerability in a 3rd party component used within Vijeo CitectTM v7.40, Vijeo Citect 2015, Citect SCADA v7.40, Citect SCADA 2015, Citect SCADA 2016.
The vulnerability, if exploited, could result in Local Code Execution.
Detailed Information
Date
October 30, 2018
Notice Identification Number
LFSEC00000130
InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition) – Remote Code Execution Vulnerability
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address vulnerabilities in:
- InduSoft Web Studio versions prior to 8.1 SP2
- InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2
The vulnerabilities in the TCP/IP Server Task could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) runtime. If the TCP/IP Server Task is disabled, InduSoft Web Studio is not vulnerable.
Detailed Information
Date
July 20, 2018
Notice Identification Number
LFSEC00000126
InTouch Access Anywhere Insecure 3rd Party Library usage
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address an outdated and insecure 3rd party library used in:
- InTouch Access Anywhere 2017 Update 2 and older
The vulnerability, if exploited, could result in a Cross-Site Scripting injection and execution.
Detailed Information
Date
July 20, 2018
Notice Identification Number
LFSEC00000129
Wonderware License Server Insecure 3rd Party component usage
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address an outdated and insecure 3rd party component used in:
- Wonderware License Server 4.0.13100 and older
The vulnerability, if exploited, could result in remote code execution with administrative privileges. Wonderware License Server is delivered by Wonderware Information Server 4.0 SP1 and older and Historian Client 2014 R2 SP1 P02 and older.
Detailed Information
Date
July 13, 2018
Notice Identification Number
LFSEC00000128
InduSoft Web Studio and InTouch Machine Edition – Remote Code Execution Vulnerability
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address vulnerabilities in:
- InduSoft Web Studio v8.1 and v8.1 SP1
- InTouch Machine Edition 2017 v8.1 and v8.1 SP1
The vulnerabilities, if exploited against the TCP/IP Server Task, could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Machine Edition runtime. If the TCP/IP Server Task is disabled, InduSoft Web Studio is not vulnerable.
Detailed Information
Date
July 13, 2018
Notice Identification Number
LFSEC00000127
InTouch Remote Code Execution on locales that do not use a dot floating point separator
Security Vulnerability Description
AVEVA Software, LLC. (“AVEVA”) has created a security update to address vulnerabilities in:
- InTouch 2017 Update 2
- InTouch 2014 R2 SP1
The vulnerabilities, if exploited on operating system locales that do not use a dot floating point separator, could allow an unauthenticated user to remotely execute code with the same privileges as those of the InTouch View process.
Detailed Information
Date
April 6, 2018
Notice Identification Number
LFSEC00000125
InduSoft Web Studio and InTouch Machine Edition – Remote Code Execution Vulnerability
Security Vulnerability Description
Schneider Electric Software, LLC (“Schneider Electric”) has created a security update to address vulnerabilities in:
- InduSoft Web Studio v8.1 and prior versions
- InTouch Machine Edition 2017 v8.1 and prior versions
Date
November 9, 2017
Notice Identification Number
LFSEC00000124
InduSoft Web Studio and InTouch Machine Edition – Remote Code Execution Vulnerability
Security Vulnerability Description
Security Vulnerability Description: Schneider Electric Software, LLC (“Schneider Electric”) has created a security update to address vulnerabilities in:
- InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions
- InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions
The vulnerabilities, if exploited, could allow an un-authenticated malicious entity to remotely execute code with high privileges.
Date
September 15, 2017
Notice Identification Number
LFSEC00000121
InduSoft Web Studio – Remote Arbitrary Command Execution Vulnerability
Security Vulnerability Description
InduSoft by Schneider Electric has created a security update to address vulnerabilities in the InduSoft Web Studio v8.0 SP2 and prior. The vulnerabilities, if exploited, could allow an un-authenticated malicious entity to remotely execute arbitrary commands with high privileges.
Date
June 30, 2017
Notice Identification Number
LFSEC00000118
Ampla MES multiple vulnerabilities
Security Vulnerability Description
Ampla by Schneider Electric has created a security update to address vulnerabilities in the Ampla MES versions 6.4 and prior. The vulnerabilities, if exploited, could allow a malicious entity to:
- Compromise credentials used to connect to 3rd party databases
- Compromise credentials of Ampla Users configured with Simple Security
Detailed Information
Date
June 30, 2017
Notice Identification Number
LFSEC00000116
Wonderware ArchestrA Logger multiple vulnerabilities
Security Vulnerability Description
Wonderware by Schneider Electric has created a security update to address vulnerabilities in the Wonderware ArchestrA Logger versions 2017.426.2307.1 or prior. The vulnerabilities, if exploited, could allow a malicious entity to remotely execute arbitrary code or cause denial of service.
Detailed Information
Date
April 28, 2017
Notice Identification Number
LFSEC00000120
Wonderware Historian Client XML Injection Vulnerability
Security Vulnerability Description
Wonderware by Schneider Electric has created a security update to address a vulnerability in Wonderware Historian Client 2014 R2 SP1 and prior. The vulnerability, if exploited, could allow a malicious entity to cause denial of service of trend display, or to disclose arbitrary files from the local file system to a malicious web site.
Detailed Information
Date
March 27, 2017
Notice Identification Number
LFSEC00000114
Wonderware InTouch Access Anywhere Vulnerabilities
Security Vulnerability Description
Wonderware by Schneider Electric has created a security update to address vulnerabilities in Wonderware InTouch Access Anywhere 2014 R2 SP1b (11.5.2) and prior versions. The vulnerabilities, if exploited, could allow a malicious entity to:
- Perform actions on behalf of a legitimate user
- Perform network reconnaissance
- Gain access to resources beyond those intended with normal operation of the product
Detailed Information
Date
February 13, 2017
Notice Identification Number
LFSEC00000119
Privilege Escalation in Tableau Server
Security Vulnerability Description
Wonderware by Schneider Electric has made available a security update to address vulnerabilities in Tableau Server versions 7.0 to 10.1.3, as used by Wonderware Intelligence versions 2014R3 and prior. The vulnerabilities, if exploited, could allow a malicious entity to escalate their privilege to an administrator and take control over the host machine where Tableau Server is installed.
Detailed Information
Date
January 24, 2017
Notice Identification Number
LFSEC00000115
Wonderware Historian Default Login Credentials
Security Vulnerability Description
Wonderware Historian creates native SQL logins with default passwords, which can allow a malicious entity to compromise Historian databases. In some installation scenarios, SQL resources beyond those created by Wonderware Historian may be compromised as well.
Detailed Information
Date
January 27, 2016
Notice Identification Number
LFSEC00000112
Wonderware Products Default Administrator Credentials (LFSEC00000112)
Security Vulnerability Description
This Wonderware by Schneider Electric security advisory has been posted to address a "Default Administrator Credentials" that was posted on Github recently. Customers are advised to change any default administrator account credentials as instructed in the products' end user documentation and administrator guides. Security advisory rating is Medium.
Detailed Information
Date
June 18, 2015
Notice Identification Number
LFSEC00000106
InTouch, AppServer, Historian, and SuiteLink Binary Planting Security Vulnerability (LFSEC00000106)
Security Vulnerability Description
Wonderware by Schneider Electric has created a security update to address Binary Planting vulnerabilities in Wonderware System Platform 2014 R2. The vulnerabilities, if exploited, could allow malicious code execution and are given a rating of "High."
Date
December 19, 2014
Notice Identification Number
LFSEC00000104
InTouch Access Anywhere Server Security Vulnerability
Security Vulnerability Description
Wonderware by Schneider Electric has created a security update to address a potential vulnerability in the product Wonderware InTouch Access Anywhere Server. This vulnerability, if exploited, could allow remote code execution and is given a rating of "Critical". There are no known exploits in the wild at this time.
Detailed Information
Date
August 18, 2014
Notice Identification Number
LFSEC00000102
Multiple Vulnerabilities in Wonderware Information Server
Security Vulnerability Description
In coordination with independent researcher Positive Technologies, Wonderware by Schneider Electric has created a security update for Wonderware Information Server (WIS) web pages and components to address multiple vulnerabilities including cross-site scripting, XML Entity injection, SQL injection, weak encryption and storage of SQL Accounts, and hard-coded credentials.
Detailed Information
Date
June 30, 2014
Notice Identification Number
LFSEC000000100
Tableau OpenSSL Vulnerabilities (LFSEC000000100)
Security Vulnerability Description
Potential security vulnerabilities have been discovered in multiple versions of the OpenSSL library used by Tableau Desktop/Server Software previously posted on WDN. Tableau Software has released a new product install which addresses these security vulnerabilities.
Detailed Information
Date
April 21, 2014
Notice Identification Number
LFSEC00000098
Tableau OpenSSL Vulnerability
Security Vulnerability Description
A vulnerability has been discovered in the OpenSSL library used by certain versions of Tableau Software Server Components previously posted on WDN. Tableau Software has released security patches for the affected versions.
Detailed Information
Date
September 20, 2013
Notice Identification Number
LFSEC00000081
Wonderware InTouch Improper Input Validation Vulnerability
Security Vulnerability Description
Positive Technologies have discovered a vulnerability in the InTouch 2012 R2 HMI product which exists in all previous versions. This vulnerability, if exploited, could allow attackers to access local resources (files and internal resources) or enable denial of service attacks. The rating is High and may require social engineering to exploit.
Detailed Information
Date
April 10, 2013
Notice Identification Number
LFSEC00000091
Multiple Vulnerabilities in Wonderware Information Server
Security Vulnerability Description
In coordination with Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, Schneider Electric Software has performed a security update of the Wonderware Information Server (WIS) web pages and components to address multiple vulnerabilities including cross-site scripting, file system access, XML Entity Injection, and blind SQL-injection.
Detailed Information
Date
March 1, 2013
Notice Identification Number
LFSEC00000086
WIN-XML Exporter Improper Input Validation Vulnerability
Security Vulnerability Description
A vulnerability has been discovered in the WIN-XML Exporter component of Wonderware Information Server. This vulnerability, if exploited, could allow attackers to access local resources (files and internal resources) or enable denial of service attacks.
Date
February 21, 2013
Notice Identification Number
LFSEC00000090
Improper Input Validation in Ruby on Rails
Security Vulnerability Description
A vulnerability has been discovered in Ruby on Rails which is used in the Tableau Server Software components distributed with Wonderware Intelligence Software versions up to version 1.5 SP1. This vulnerability, if exploited, allows remote attackers to bypass intended database query restrictions which can result in complete take over on the host machine.
Detailed Information
Date
November 28, 2012
Notice Identification Number
LFSEC00000080
Weak Encryption for InTouch Passwords
Security Vulnerability Description
A vulnerability has been discovered in the password storage mechanism for the "InTouch" Security Type. Not affected by this vulnerability are end users who have chosen "Windows Integrated" security for their InTouch applications rather than the "InTouch" option.
Detailed Information
Date
September 11, 2012
Notice Identification Number
LFSEC00000073
InTouch 10 DLL Hijack Vulnerability
Security Vulnerability Description
A vulnerability has been discovered in wwClintF.dll, a common component used by InTouch and other Wonderware System Platform products. This vulnerability, if exploited, could result in an attacker creating a back door into the system.
Detailed Information
Date
September 11, 2012
Notice Identification Number
LFSEC00000017
Directory Traversal Vulnerabilities in Application Server Bootstrap
Security Vulnerability Description
Schneider Electric Software has discovered directory traversal type vulnerabilities in three components that are installed by the Wonderware Application Server Bootstrap. If exploited, these vulnerabilities could lead to information disclosure, malicious file upload, or arbitrary code execution.
Detailed Information
Date
May 25, 2012
Notice Identification Number
LFSEC00000038
SuiteLink SLSSVC Vulnerability
Security Vulnerability Description
Schneider Electric Software is aware that a denial of service type vulnerability, including exploit code has been posted on the web against the Wonderware Suitelink service, which is a common component of the System Platform and used to transport value, time and quality of digital I/O information and extensive diagnostics with high throughput between industrial devices, 3rd party and Wonderware products.Schneider Electric Software has confirmed the vulnerability exists for Wonderware products prior to the latest 2012 release and has identified mitigations for other products and prior versions.
Date
April 2, 2012
Notice Identification Number
LFSEC00000069
Cross-Site Scripting and SQL Injection in Wonderware Information Server pages and Memory Management issues in Historian Client controls.
Security Vulnerability Description
In coordination with cyber researchers Terry McCorkle and Billy Rios, Schneider Electric Software has performed a security update of the Wonderware Information Server web pages to address multiple vulnerabilities including cross-site scripting and SQL-injection. In addition, memory management issues for the downloaded Historian Client controls were also addressed.
Date
March 30, 2012
Notice Identification Number
LFSEC00000071
Security Bulletin System Platform Buffer Overflow
Security Vulnerability Description
Cyber researcher Celil Unuver from SignalSec Corp has discovered two heap-based buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform that is used by the Wonderware Application Server, InFusion (FCS), InTouch, the ArchestrA Application Object Toolkit and the Wonderware Information Server. If exploited, these vulnerabilities could lead to arbitrary code execution. The rating is Medium due to the exploit difficulty and may require social engineering.
Date
February 8, 2012
Notice Identification Number
LFSEC00000059-61
Memory corruption and XXS Vulnerabilities in Wonderware HMI Reports
Security Vulnerability Description
Independent security researchers Billy Rios and Terry McCorkle have discovered memory corruption and cross site scripting vulnerabilities in Wonderware HMI Reports 3.42.835.0304. These vulnerabilities, if exploited, could allow an attacker to compromise the host machine. The rating is high but requires social engineering to exploit. Social engineering is when people are unknowingly manipulated to perform certain actions that may be detrimental to the system. For example, asking an end-user to click on an email link or download a file.
Date
December 19, 2011
Notice Identification Number
LFSEC000000067
InBatch Long String Value Buffer Overflow
Security Vulnerability Description
Three vulnerabilities have been discovered in the Wonderware InBatch GUIControls, BatchObjSrv and BatchSecCtrl controls. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code or cause a Denial of Service on machines with Runtime Client components of Wonderware InBatch 9.5 and older versions.
Detailed Information
DHS – US-CERT LINKSecurity Bulletin- LFSEC000000067
Date
July 13, 2011 (revised) October 11, 2011
Notice Identification Number
LFSEC00000012
Buffer Overflow in RDBCMI.RuntimeDB.1 and WWView Active X Controls
Security Vulnerability Description
Two vulnerabilities have been discovered in the Wonderware Information Server client side RDBCMI.RuntimeDB.1 and WWView ActiveX controls. These vulnerabilities, if exploited, could cause a stack based buffer overflow that might allow remote code execution on client machines of Wonderware Information Server versions 3.1, 4.0, 4.0 SP1 and older versions of the product.
Date
April 8, 2011
Notice Identification Number
LFSEC00000054
Stack Based buffer overflow in the "Label" method, in the InBatch BatchField ActiveX Control
Security Vulnerability Description
A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch® and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server.
Detailed Information
ICS-CERT Security NotificationApril 8, 2011 - LFSEC00000054
Date
February 18, 2011 REVISION
Notice Identification Number
LFSEC00000051
Server lm_tcp buffer overflow
Security Vulnerability Description
A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server
Detailed Information
Date
July 2010
Notice Identification Number
LFSEC00000037
Wonderware ArchestrA ConfigurationAccessComponent ActiveX Stack Overflow
Security Vulnerability Description
A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) in all supported versions of Wonderware Application Server and InFusion Application Environment with exception of the latest, Wonderware Application Server 3.1 Service Pack 2 Patch 01 (WAS 3.1 SP2 P01).
Detailed Information
Date
July 19, 2018
Notice Identification Number
LFSEC00000037
Wonderware ArchestrA ConfigurationAccessComponent ActiveX Stack Overflow
Security Vulnerability Description
Security Vulnerability Description: Schneider Electric Software, LLC (“Schneider Electric”) has created a security update to address vulnerabilities in:
- InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions
- InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions
The vulnerabilities, if exploited, could allow an un-authenticated malicious entity to remotely execute code with high privileges.
