cnvd - cnvd-2021-102839

cnvd-2021-102839

Vulnerability from cnvd

Title: AVEVA System Platform访问控制错误漏洞

Description:

AVEVA System Platform是英国AVEVA公司的一个应用软件。用于监管、企业SCADA、MES和IIoT应用程序的响应迅速、标准驱动且可扩展的基础。

AVEVA System Platform存在访问控制错误漏洞，该漏洞源于软件不能正确地验证数据或通信的来源是有效的。目前没有详细的漏洞细节提供。

Severity: 高

Patch Name: AVEVA System Platform访问控制错误漏洞的补丁

Patch Description:

AVEVA System Platform是英国AVEVA公司的一个应用软件。用于监管、企业SCADA、MES和IIoT应用程序的响应迅速、标准驱动且可扩展的基础。

AVEVA System Platform存在访问控制错误漏洞，该漏洞源于软件不能正确地验证数据或通信的来源是有效的。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.wonderwaremidwest.com/whatweoffer/monitor-control/hmi-scada/system-platform/

Reference: https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05

Impacted products

Name
AVEVA System Platform >=2017，<=2020 R2 P01

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32985"
    }
  },
  "description": "AVEVA System Platform\u662f\u82f1\u56fdAVEVA\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u7528\u4e8e\u76d1\u7ba1\u3001\u4f01\u4e1aSCADA\u3001MES\u548cIIoT\u5e94\u7528\u7a0b\u5e8f\u7684\u54cd\u5e94\u8fc5\u901f\u3001\u6807\u51c6\u9a71\u52a8\u4e14\u53ef\u6269\u5c55\u7684\u57fa\u7840\u3002\n\nAVEVA System Platform\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8f6f\u4ef6\u4e0d\u80fd\u6b63\u786e\u5730\u9a8c\u8bc1\u6570\u636e\u6216\u901a\u4fe1\u7684\u6765\u6e90\u662f\u6709\u6548\u7684\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.wonderwaremidwest.com/whatweoffer/monitor-control/hmi-scada/system-platform/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-102839",
  "openTime": "2021-12-28",
  "patchDescription": "AVEVA System Platform\u662f\u82f1\u56fdAVEVA\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u7528\u4e8e\u76d1\u7ba1\u3001\u4f01\u4e1aSCADA\u3001MES\u548cIIoT\u5e94\u7528\u7a0b\u5e8f\u7684\u54cd\u5e94\u8fc5\u901f\u3001\u6807\u51c6\u9a71\u52a8\u4e14\u53ef\u6269\u5c55\u7684\u57fa\u7840\u3002\r\n\r\nAVEVA System Platform\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8f6f\u4ef6\u4e0d\u80fd\u6b63\u786e\u5730\u9a8c\u8bc1\u6570\u636e\u6216\u901a\u4fe1\u7684\u6765\u6e90\u662f\u6709\u6548\u7684\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "AVEVA System Platform\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "AVEVA System Platform \u003e=2017\uff0c\u003c=2020 R2 P01"
  },
  "referenceLink": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05",
  "serverity": "\u9ad8",
  "submitTime": "2021-07-29",
  "title": "AVEVA System Platform\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2021-32985 (GCVE-0-2021-32985)

Vulnerability from cvelistv5

Published

2022-04-04 19:45

Modified

2025-04-16 17:56

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-346 - Origin Validation Error

Summary

AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid.

References

▼	URL	Tags
	https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05	x_refsource_CONFIRM
	https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	AVEVA	AVEVA System Platform	Version: 2017 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:42:18.863Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32985",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T17:30:08.589667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T17:56:55.566Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVEVA System Platform",
          "vendor": "AVEVA",
          "versions": [
            {
              "lessThanOrEqual": "2020 R2 P01",
              "status": "affected",
              "version": "2017",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-04T19:45:49.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nAutoBuild service is intended to be used only on the GR Node of System Platform during configuration. If the AutoBuild service is enabled on any Runtime nodes, it should be disabled. Furthermore, if the AutoBuild functionality is not used on the GR Node, the AutoBuild service can be disabled on the GR Node as an alternative mitigation that does not require patching.\n\nAVEVA recommends users who need to continually use the AutoBuild functionality and cannot disable it in System Platform Versions 2017 through 2020 R2 P01 (inclusive) are affected by the vulnerabilities and should first upgrade to one of the System Platform versions listed below, then apply the corresponding security update:\n    System Platform 2020 R2 P01, 2020 R2, 2020: Apply AVEVA Communication Drivers Pack 2020 R2.1\n    System Platform 2017 U3 SP1 P01: \n\nFirst apply AVEVA Communication Drivers Pack 2020 R2  AVEVA notes that Activated Licensing is required to apply AVEVA Communication Drivers Pack 2020 R2 on top of System Platform 2017 U3 SP1 P01. For information on AVEVA license compatibility, please contact AVEVA Customer Support.\nThen apply AVEVA Communication Drivers Pack 2020 R2.1\n\nPlease see AVEVA\u2019s security bulletin AVEVA-2021-002 for more information."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "AVEVA System Platform Origin Validation Error",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-32985",
          "STATE": "PUBLIC",
          "TITLE": "AVEVA System Platform Origin Validation Error"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "AVEVA System Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2017",
                            "version_value": "2020 R2 P01"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AVEVA"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-346: Origin Validation Error"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05",
              "refsource": "CONFIRM",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
            },
            {
              "name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf",
              "refsource": "CONFIRM",
              "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nAutoBuild service is intended to be used only on the GR Node of System Platform during configuration. If the AutoBuild service is enabled on any Runtime nodes, it should be disabled. Furthermore, if the AutoBuild functionality is not used on the GR Node, the AutoBuild service can be disabled on the GR Node as an alternative mitigation that does not require patching.\n\nAVEVA recommends users who need to continually use the AutoBuild functionality and cannot disable it in System Platform Versions 2017 through 2020 R2 P01 (inclusive) are affected by the vulnerabilities and should first upgrade to one of the System Platform versions listed below, then apply the corresponding security update:\n    System Platform 2020 R2 P01, 2020 R2, 2020: Apply AVEVA Communication Drivers Pack 2020 R2.1\n    System Platform 2017 U3 SP1 P01: \n\nFirst apply AVEVA Communication Drivers Pack 2020 R2  AVEVA notes that Activated Licensing is required to apply AVEVA Communication Drivers Pack 2020 R2 on top of System Platform 2017 U3 SP1 P01. For information on AVEVA license compatibility, please contact AVEVA Customer Support.\nThen apply AVEVA Communication Drivers Pack 2020 R2.1\n\nPlease see AVEVA\u2019s security bulletin AVEVA-2021-002 for more information."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-32985",
    "datePublished": "2022-04-04T19:45:49.000Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2025-04-16T17:56:55.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted