What is CVE-2018-10628?

CVE-2018-10628 is a vulnerability in AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2 that allows an unauthenticated user to send a specially crafted packet that could overflow the buffer on a locale not using a dot floating point separator, leading to remote code execution.

What is the severity of CVE-2018-10628?

CVE-2018-10628 is categorized as critical with a severity score of 9.8.

How can an unauthenticated user exploit CVE-2018-10628?

An unauthenticated user can exploit CVE-2018-10628 by sending a specially crafted packet that overflows the buffer on a locale not using a dot floating point separator, potentially allowing for remote code execution.

Which versions of AVEVA InTouch are affected by CVE-2018-10628?

CVE-2018-10628 affects AVEVA InTouch 2014 R2, InTouch 2014 R2 SP1, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2.

How can I fix CVE-2018-10628?

To fix CVE-2018-10628, it is recommended to apply the necessary patches or updates provided by AVEVA to the affected software versions.

Vulnerability/
CVE-2018-10628

critical

9.8

CWE

119 121

19/7/2018

5/8/2024

CVE-2018-10628: Buffer Overflow

First published: Thu Jul 19 2018(Updated: )

AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2 allow an unauthenticated user to send a specially crafted packet that could overflow the buffer on a locale not using a dot floating point separator. Exploitation could allow remote code execution under the privileges of the InTouch View process.

Credit: ics-cert@hq.dhs.gov

Affected Software	Affected Version	How to fix
AVEVA InTouch 2014	=r2
AVEVA InTouch 2014	=r2-sp1
Aveva Intouch 2017
Aveva Intouch 2017	=update_1
Aveva Intouch 2017	=update_2

Remedy

https://ics-cert.us-cert.gov/advisories/ICSA-18-200-02

Remedy

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec127(003).pdf

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-10628?
CVE-2018-10628 is a vulnerability in AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2 that allows an unauthenticated user to send a specially crafted packet that could overflow the buffer on a locale not using a dot floating point separator, leading to remote code execution.
What is the severity of CVE-2018-10628?
CVE-2018-10628 is categorized as critical with a severity score of 9.8.
How can an unauthenticated user exploit CVE-2018-10628?
An unauthenticated user can exploit CVE-2018-10628 by sending a specially crafted packet that overflows the buffer on a locale not using a dot floating point separator, potentially allowing for remote code execution.
Which versions of AVEVA InTouch are affected by CVE-2018-10628?
CVE-2018-10628 affects AVEVA InTouch 2014 R2, InTouch 2014 R2 SP1, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2.
How can I fix CVE-2018-10628?
To fix CVE-2018-10628, it is recommended to apply the necessary patches or updates provided by AVEVA to the affected software versions.

collector/nvd-index
agent/weakness
agent/event
agent/severity
agent/references
agent/description
agent/author
agent/type
agent/last-modified-date
agent/remedy
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/aveva
canonical/aveva intouch 2014
version/aveva intouch 2014/r2
version/aveva intouch 2014/r2-sp1
canonical/aveva intouch 2017
version/aveva intouch 2017/update_1
version/aveva intouch 2017/update_2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.