AVEVA Browser Vulnerability Allows Authenticated User to Access Operating System and Launch Arbitrary Operating System Commands

Issue Date:

May 17, 2022
Importance

High
Summary

AVEVA browser based mobile user interface applications vulnerability allows an authenticated user to migrate from the application context into the operating system and launch arbitrary operating system commands.
Systems Impacted

AVEVA InTouch Access Anywhere and AVEVA Plant SCADA Access Anywhere (formerly known as Citect Anywhere)
PDF Download

Advisory Details

The Windows Operating System allows for a language bar to be docked in the task bar or floating on the desktop. This configuration provides language bar accessibility in the two AVEVA Access Anywhere browsers.

By manipulating the Windows OS language bar, it is possible to open an Operating System command prompt. Escaping the context of the browser-based application then a user can control the host device in various manners by issuing Operating System commands. The security context of the commands is relative to the escaping user’s security privileges.

Actions and/or Recommendations

AVEVA recommends users of these two applications evaluate impact if language bar is used and disable the language bar unless required by policy. Review and revise user accounts for minimal privileges dedicated to the Access Anywhere remote access. Use Operating System Group Policy Objects to further restrict user accounts. Restrict access based on Microsoft’s recommended block list: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

About REAL Matters and Mangan Inc.

REAL Matters advisories are published to communicate cybersecurity threats and risks within the Operational Technology (OT) environment and where Critical Infrastructure vulnerabilities are identified. The purpose of this newsletter is to inform, propose suggested approaches to mitigate the risk as well as provide feedback on how Mangan Cybersecurity is approaching the issue(s) addressed.

Mangan Inc. is a nationally-recognized Specialty Engineering, Automation, and Integration company, providing a full-range of services to the Oil & Gas, Refining, Pipeline, Chemicals, and Life Sciences Industries. Established in Long Beach, California in 1990, Mangan’s multiple office locations include sites in California, Georgia, New Hampshire, North Carolina, Texas, and Louisiana. Mangan’s 350+ employee-owners bring expertise, innovation, and safety as their core mission to some of the largest companies in the world.

TSA pipeline cybersecurity planning, testing and mitigation.

OT cybersecurity threat analysis services.

Cybersecurity tolerance profiles for your organization.

Specifically developed to meet your organization’s objectives.

Alignment of your business risk tolerance, continuity, and budgets.

Coordination, assessments, evaluations, and remediation strategies for cybersecurity.

Time to recovery from a cyberattack is of the essence.

The heart of cybersecurity preparedness and proactivity.

Training specifically addressing OT cybersecurity concerns and approaches.

Navigate and develop your OT cybersecurity documentation and compliance.

Putting your plan into action with OT cybersecurity remediation services.

AVEVA Browser Vulnerability Allows Authenticated User to Access OS & Launch Arbitrary Operating System Commands

Advisory Details

Actions and/or Recommendations

About REAL Matters and Mangan Inc.

What types of businesses need OT Cybersecurity?

Should an OT Cybersecurity Program be managed in-house or externally?

What are common challenges in OT Cybersecurity?