AVEVA has an upgrade available to mitigate an insufficiently protected credentials vulnerability in its Vijeo Citect and CitectSCADA, according to a report from NCCIC.
Successful exploitation of this vulnerability, discovered by VAPT Team, C3i Center, and IIT Kanpur, could allow a locally authenticated user to obtain Citect user credentials.
The following versions of Vijeo Citect and CitectSCADA, a Supervisory Control and Data Acquisition (SCADA) software, are affected:
• Vijeo Citect 7.30 and 7.40
• CitectSCADA 7.30 and 7.40
A vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.
CVE-2019-10981 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
The product sees use mainly in the commercial facilities, critical manufacturing, and energy sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
UK-based AVEVA recommends all affected users download and upgrade to CitectSCADA 2018 as soon as possible (login required).
Click here to view AVEVA’s security advisory.