Hole Fixed in AVEVA Vijeo Citect, CitectSCADA

Thursday, May 30, 2019 @ 01:05 PM gHale

AVEVA has an upgrade available to mitigate an insufficiently protected credentials vulnerability in its Vijeo Citect and CitectSCADA, according to a report from NCCIC.

Successful exploitation of this vulnerability, discovered by VAPT Team, C3i Center, and IIT Kanpur, could allow a locally authenticated user to obtain Citect user credentials.

RELATED STORIES
Emerson Plan for Ovation Controller Holes
Computrols Clears CBAS Web Holes
Mitsubishi Ethernet Module Firmware Fixed
Fuji Electric Fixes Alpha7 PC Loader

The following versions of Vijeo Citect and CitectSCADA, a Supervisory Control and Data Acquisition (SCADA) software, are affected:
• Vijeo Citect 7.30 and 7.40
• CitectSCADA 7.30 and 7.40

A vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.

CVE-2019-10981 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

The product sees use mainly in the commercial facilities, critical manufacturing, and energy sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

UK-based AVEVA recommends all affected users download and upgrade to CitectSCADA 2018 as soon as possible (login required).

Click here to view AVEVA’s security advisory.



Leave a Reply

You must be logged in to post a comment.