CVE-2018-10620
published 2018-07-19CVE-2018-10620: AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.25%
89.8th percentile
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | indusoft_web_studio | — | — |
| aveva | intouch_machine_2017 | — | — |
| aveva_software_llc | indusoft_web_studio | — | — |
| aveva_software_llc | intouch_machine_edition | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
AVEVA InduSoft Web Studio and InTouch Machine Edition
cisa_ics·2018-07-19·CVSS 9.8
[CRITICAL] AVEVA InduSoft Web Studio and InTouch Machine Edition
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
AVEVA InduSoft Web Studio and InTouch Machine Edition
Last RevisedJuly 19, 2018
Alert CodeICSA-18-200-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit.
- Vendor: AVEVA Software, LLC (AVEVA)
- Equipment: InduSoft Web Studio and InTouch Machine Edition
- Vulnerabilities: Stack-based buffer overflow
## 2. RISK EVALUATION
The listed products are vulnerable only if the TCP/IP Server Task is enabled. A remote attacker could send a carefully crafted packet during a tag, alarm, or event related action such as read and write, whi
GHSA
GHSA-92qr-7f7r-87vw: AVEVA InduSoft Web Studio v8
ghsa_unreviewed·2022-05-13
CVE-2018-10620 [CRITICAL] CWE-787 GHSA-92qr-7f7r-87vw: AVEVA InduSoft Web Studio v8
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed.
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/104870https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec128%28002%29.pdfhttps://www.tenable.com/security/research/tra-2018-19http://www.securityfocus.com/bid/104870https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec128%28002%29.pdfhttps://www.tenable.com/security/research/tra-2018-19
2018-07-19
Published