Critical Infrastructure Security, Vulnerability Management

Aveva HMI, SCADA product vulnerabilities detailed

U.K.-based industrial software manufacturer Aveva and the Cybersecurity and Infrastructure Security Agency have issued security advisories regarding three vulnerabilities impacting Aveva's InTouch Access Anywhere HMI and Plant SCADA Access Anywhere systems, all of which have already been addressed, SecurityWeek reports. Some of the 1,100 InTouch Access Anywhere Gateway instances connected to the internet have been affected by a high-severity path traversal flaw, tracked as CVE-2022-23854, which could be exploited to facilitate reading of files outside the secure gateway web server, according to Crisec consultant Jens Regel, who discovered the flaw. "If an attacker gains access to sensitive information, such as configuration files in which access data is stored, for example, this can become a real problem," said Regel, who noted that leveraging the flaw does not require any user interaction. Meanwhile, both InTouch Access Anywhere and Plant SCADA Access Anywhere products are also being impacted by a critical OpenSSL vulnerability that could enable arbitrary code execution and denial-of-service attacks, as well as a medium-severity flaw involving a vulnerable jQuery version.

Related

Novel tool leveraged by APT28 to exploit old Windows vulnerability

Data exfiltration and privilege escalation attacks leveraging the novel GooseEgg hacking tool to exploit an already addressed Windows Print Spooler flaw, tracked as CVE-2022-38028, have been deployed by Russian cyberespionage operation APT28, also known as Forest Blizzard, against government, education, transportation, and non-government organizations since April 2019, BleepingComputer reports.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.