Skip to main content
InSource Solutions

TN WW218 AVEVA Security Bulletin LFSEC00000135

Description

 

  • Author: Joseph Hefner
  • Published: 01/31/2019
  • Applies to: All System Platform versions prior to 2017 Update 3

 

AVEVA has released Security Bulletin LFSEC00000135 which describes a newly discovered vulnerability in all Wonderware System Platform versions prior to System Platform 2017 Update 3. These vulnerabilities could allow unauthorized access to the credentials for the ArchestrA Network User Account. System Platform utilizes an ArchestrA network User Account for authentication of system processes and inter-node communications. An unauthorized user could make use of an API to obtain the credentials for this account. AVEVA recommends that customers using Wonderware System Platform 2017 Update 2 and all prior versions are affected and should upgrade to System Platform 2017 Update 3 as soon as possible. The complete security bulletin is attached to this article. If you have questions or concerns about this security bulletin please reach out to the InSource tech support team at (888)691-3858.

 

Overview


AVEVA Software, LLC. (“AVEVA”) has released a new version of System Platform which includes a security update to address vulnerabilities in Wonderware System Platform 2017 Update 2 and all prior versions.

These vulnerabilities could allow unauthorized access to the credentials for the ArchestrA Network User Account.

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

 

Recommendations


Customers using Wonderware System Platform 2017 Update 2 and all prior versions are affected and should upgrade to System Platform 2017 Update 3 as soon as possible.

For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

 

Vulnerability Details


System Platform utilizes an ArchestrA Network User Account for authentication of system processes and inter-node communications. An unauthorized user could make use of an API to obtain the credentials for this account.

 

Security Update


The following Security Updates address the vulnerabilities outlined in this Security Bulletin: System Platform 2017 Update 3.

 

Affected Products, Components, and Corrective Security Update


The following table identifies the currently supported products affected. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:

Capture1.JPG
https://softwaresupportsp.schneiderelectric.com/#/producthub/details?id=52332

 

 

Vulnerability Characterization and CVSSv3 Rating


CWE-522: Insufficiently Protected Credentials, CWE-250: Execution with Unnecessary Privileges, CWE-
862
: Missing Authorization

  • Wonderware System Platform 2017 Update 2 and all prior versions:

8.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H