Vulnerabilities in AVEVA Operations Control Logger

AVEVA has released a security update to address vulnerabilities found in AVEVA Operations Control Logger (formerly known as ArchestrA Logger). Specifically, the two high and medium severity risks facing the company could, if left unattended, allow for an escalation of privileges (CVE-2023-33873) or a denial of service (CVE-2023-34982).

Which Products are Affected?

• AVEVA System Platform: 2020 R2 SP1 P01 and earlier.
• AVEVA Historian: 2020 R2 SP1 P01 and earlier.
• AVEVA Application Server: 2020 R2 SP1 P01 and earlier.
• AVEVA InTouch HMI: 2020 R2 SP1 P01 and earlier.
• AVEVA Enterprise Licensing (formerly known as License Manager): version 3.7.002 and earlier.
• AVEVA Manufacturing Execution System (formerly known as Wonderware MES): 2020 P01 and earlier.
• AVEVA Recipe Management: 2020 R2 Update 1 Patch 2 and earlier.
• AVEVA Batch Management: 2020 SP1 and earlier.
• AVEVA Edge (formerly known as Indusoft Web Studio): 2020 R2 SP1 P01 and earlier.
• AVEVA Work Tasks (formerly known as Workflow Management): 2020 U2 and earlier.
• AVEVA Plant SCADA (formerly known as Citect): 2020 R2 Update 15 and earlier.
• AVEVA Mobile Operator (formerly known as IntelaTrac Mobile Operator Rounds): 2020 R1 and earlier.
• AVEVA Communication Drivers Pack: 2020 R2 SP1 and earlier.
• AVEVA Telemetry Server: 2020 R2 SP1 and earlier.

What to Do Next?

For those nodes where software with affected versions is installed, AVEVA proposes two possible solutions:

• Recommended fix: upgrade to version 2023 or higher of the corresponding product.
• Alternative fix: install AVEVA Operations Control Logger v22.1 software.

Tips to Curb the Security Breach

From Becolve Digital, we echo AVEVA’s recommendations to suggest that you evaluate the impact of vulnerabilities based on your operating environment, architecture, and product implementation. If you have affected software, we advise you to apply the updates developed by AVEVA as soon as possible. With the Customer First or AVEVA Flex programs, you can easily access the latest versions of all products and save yourself from having to put out many fires in the future.

In addition, you must ensure that the local Guest or Anonymous accounts are disabled on servers/clients with AVEVA software, and that only trusted users can log in to one of the nodes where Operations Control Logger is running.

Cybersecurity risk assessment

Remember that the evolution of technologies requires progress, also, in the protection of operating environments (OT), without implying an irrational fear of increasingly open access to information.

Along these lines, our goal is to provide you with a clear vision of your cybersecurity risks that allows you to make decisions to strengthen your vital infrastructure. Therefore, we help you identify potential threats in OT environments, thanks to the thorough analysis of the operation of critical systems. Once the vulnerabilities are located, we offer effective strategies that will ensure your digital future.