CVE-2023-33873: AVEVA Operations Control Logger Execution with Unnecessary Privileges
First published: Wed Nov 15 2023(Updated: )
This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Aveva Batch Management | <2020 | |
| Aveva Batch Management | =2020 | |
| Aveva Batch Management | =2020-sp1 | |
| AVEVA Communication Drivers Pack | <2020 | |
| AVEVA Communication Drivers Pack | =2020 | |
| AVEVA Communication Drivers Pack | =2020-r2 | |
| AVEVA Communication Drivers Pack | =2020-r2_p01 | |
| AVEVA Edge 2020 R2 SP1 | <=20.1.101 | |
| AVEVA Enterprise Licensing | <=3.7.002 | |
| AVEVA Historian Server | <2020 | |
| AVEVA Historian Server | =2020 | |
| AVEVA Historian Server | =2020-r2 | |
| AVEVA Historian Server | =2020-r2_p01 | |
| AVEVA InTouch 2020 | <2020 | |
| AVEVA InTouch 2020 | =2020 | |
| AVEVA InTouch 2020 | =2020-r2 | |
| AVEVA InTouch 2020 | =2020-r2_p01 | |
| Aveva Manufacturing Execution System | <2020 | |
| Aveva Manufacturing Execution System | =2020 | |
| Aveva Manufacturing Execution System | =2020-p01 | |
| AVEVA Mobile Operator | <2020 | |
| AVEVA Mobile Operator | =2020 | |
| AVEVA Mobile Operator | =2020 | |
| AVEVA Mobile Operator | =2020-r1 | |
| AVEVA Plant SCADA | <2020 | |
| AVEVA Plant SCADA | =2020 | |
| AVEVA Plant SCADA | =2020-r2 | |
| AVEVA Recipe Management | <2020 | |
| AVEVA Recipe Management | =2020 | |
| AVEVA Recipe Management | =2020-update_1_patch_2 | |
| Wonderware System Platform | <2020 | |
| Wonderware System Platform | =2020 | |
| Wonderware System Platform | =2020-r2 | |
| Wonderware System Platform | =2020-r2_p01 | |
| AVEVA Telemetry Server 2020 R2 SP1 | =2020r2 | |
| AVEVA Telemetry Server 2020 R2 SP1 | =2020r2-sp1 | |
| AVEVA Worktasks | <2020 | |
| AVEVA Worktasks | =2020 | |
| AVEVA Worktasks | =2020-update_1 | |
| AVEVA Worktasks | =2020-update_2 |
Remedy
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected products should apply security updates as soon as possible. In addition to applying security updates, users should follow these general precautions: * Ensure that Guest or Anonymous local OS accounts are disabled. * Ensure that only trusted users are able to login on the nodes where the Operations Control Logger is running. Please see AVEVA Security Bulletin number AVEVA-2023-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ for more information and for links for individual security updates and mitigations for each of the affected products. AVEVA System Platform 2020 through 2020 R2 SP1 cannot be newly installed on top of other AVEVA products which have been previously patched with the Operations Control Logger v22.1. For additional details please refer to Alert 000038736. https://softwaresupportsp.aveva.com/#/knowledgebase/details/000038736
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-33873?
CVE-2023-33873 is classified as a privilege escalation vulnerability.
How do I fix CVE-2023-33873?
To fix CVE-2023-33873, apply the latest patch or update provided by Aveva for the affected software.
Which products are affected by CVE-2023-33873?
CVE-2023-33873 affects multiple Aveva products, including Batch Management, Communication Drivers, and Historian Servers.
Who can exploit CVE-2023-33873?
CVE-2023-33873 can be exploited by a local OS-authenticated user with standard privileges.
What impact does CVE-2023-33873 have if exploited?
Exploitation of CVE-2023-33873 can lead to complete system compromise on the affected machine.
- agent/references
- agent/type
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/severity
- agent/title
- agent/author
- agent/last-modified-date
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/aveva
- canonical/aveva batch management
- version/aveva batch management/2020
- version/aveva batch management/2020-sp1
- canonical/aveva communication drivers pack
- version/aveva communication drivers pack/2020
- version/aveva communication drivers pack/2020-r2
- version/aveva communication drivers pack/2020-r2_p01
- canonical/aveva edge 2020 r2 sp1
- version/aveva edge 2020 r2 sp1/20.1.101
- canonical/aveva enterprise licensing
- version/aveva enterprise licensing/3.7.002
- canonical/aveva historian server
- version/aveva historian server/2020
- version/aveva historian server/2020-r2
- version/aveva historian server/2020-r2_p01
- canonical/aveva intouch 2020
- version/aveva intouch 2020/2020
- version/aveva intouch 2020/2020-r2
- version/aveva intouch 2020/2020-r2_p01
- canonical/aveva manufacturing execution system
- version/aveva manufacturing execution system/2020
- version/aveva manufacturing execution system/2020-p01
- canonical/aveva mobile operator
- version/aveva mobile operator/2020
- version/aveva mobile operator/2020-r1
- canonical/aveva plant scada
- version/aveva plant scada/2020
- version/aveva plant scada/2020-r2
- canonical/aveva recipe management
- version/aveva recipe management/2020
- version/aveva recipe management/2020-update_1_patch_2
- canonical/wonderware system platform
- version/wonderware system platform/2020
- version/wonderware system platform/2020-r2
- version/wonderware system platform/2020-r2_p01
- canonical/aveva telemetry server 2020 r2 sp1
- version/aveva telemetry server 2020 r2 sp1/2020r2
- version/aveva telemetry server 2020 r2 sp1/2020r2-sp1
- canonical/aveva worktasks
- version/aveva worktasks/2020
- version/aveva worktasks/2020-update_1
- version/aveva worktasks/2020-update_2